Hello friends! It’s been quite some time since I’ve blogged – shame on me. No excuses as I can’t say I’ve been particularly busy or engaged in anything mind-blowing. The truth is I haven’t had much to write about lately & I’m not going to deliver nonsense because then I would lose your trust. I err on the side of quality vs. quantity as I hope everyone reading this does. My quest to become a better developer is something that has been keeping me occupied lately. To that end, learning MEAN stack development is something I really want to get better at. How can I understand how to break something if I don’t know how to build it? It’s in its infancy but my goal is to build a vulnerable MEAN stack application and release it to Github for everyone to tear it apart and understand how the typical web application vulnerabilities manifest themselves in a MEAN stack application at the code level. No promises but I hope by the end of the year I could deploy the beta version. Enough updates let’s get down to the point of this post.
Having an awesome company isn’t something to take for granted. For me this means quality and diversity of work, culture, work environment and plenty things in between; but the biggest part of that is the investment the company provides you in terms of self improvement and development. To say that I get spoiled currently is an understatement! Imagine how ecstatic I was to find an OWASP conference that was so close I wouldn’t even need a flight. I usually with puppy eyes ask my boss if it’s possible to attend, he runs it up the flag-pole and soon gives me the okay to book it. This would be my first OWASP conference & training. The first 3 days there was an assortment of training’s followed by the last 2 day being the actual conference and a CTF. The training course that caught my eye was Seth & Ken’s Excellent Adventures in Code Review. The description read as follow
This was a tough to select since there were training on a bunch of things I was interested in including Serverless Security, API Security, Security in Single Paged App, DevOps Security, and Building a Appsec Program with OWASP. I wish I had like 5 clones and could take them all but such is life. I arrived Sunday night 9/8/2019 after a 3 hour train ride grabbed some food and made sure to get a great nights rest.
Training:
After an introduction from the instructors we were provided a USB (which proved to be safe but everyone questioned) to download the materials. It included an OVA image of the VM we were going to utilize for the course. Essentially it was just a Ubuntu image pre-loaded with vulnerable application’s source code and ATOM IDE which is pretty slick. A giant portion of this day was determining the scope of code review and building a methodology. Having a solid methodology is uber important since given millions of lines of code to review of an unknown application, various frameworks or unfamiliar language can be a daunting task. A question I’d always ask myself is “where do I begin”. We learned how to perform an application assessment & overview. This is the first step where you profile the application beginning to understand things such as
Frameworks & Languages
3rd Party Components
Techstack
Datastores
Checking Framework Documentation
Looking for Unit Test
Code Comments
Spending the time here proved most important and the most difficult. Naturally the hacker in you wants to start hunting for vulnerabilities and going down rabbit holes. Don’t Do This! Be disciplined is the only I can give you here.
Then comes information gathering
Mapping Route and Endpoints
We learning how request flow from the routing to authorization functions, processing logic through the DB and back to the user in a number of frameworks
Rails
NodeJS & Express
Django
.NET
Reviewing authorization decorators
Risk brainstorming
Sources and Sinks
From this you’ll have a checklist of things to review. That’ the methodology!
Using the information from above we dove into specific areas of the application (which in itself is sorta difficult to find).
Authorization
Broken Access Controls
Sensitive Data Exposure
Mass Assignment
Business Logic Flaw
Authentication
Broken Authentication
User Enumeration
Session Management Issues
Authentication Bypass
Brute Force Attacks
Auditing
Sensitive Data Exposure
Insufficient Logging & Monitoring
Debug Messages
Error Handling
Information Leakage
Injection
Injection
XXE
XXS
Redirects
SSRF (recently popular I wonder why)
Cryptography
Lack of Encryption
Improper Encryption
Insecure Token Generation
Configuration Review
Security Misconfigurations
3rd Party Libraries, Frameworks, Dependencies
After lunch on the last day we broke off into groups, selected an open source application and followed the process from start to finish. We were hoping for some CVE’s but we didn’t come up with anything shocking. I love when you have practical sessions like this. You’d be surprised how much you learn by doing instead of just listening. All the groups presented their findings to the class at the end.
Conference:
The keynote started off with an pretty amazing guy technical Director of Security from the NSA Neal Ziring – Applying Security Engineering Principles to Complex Composite Systems
Here are some of the talks I attended:
A Structured Code Audit Approach to Find Flaws in Highly Audited Webapps
Using the OWASP Application Security Verification Standard 4.0 to Secure Your Applications
Securing Serverless by Breaking-in
Owning the Cloud through SSRF and PDF Generators
DevSecOps: Essential Pipeline Tooling to Enable Continuous Security
The As, Bs, and Four Cs of Testing Cloud-Native Applications
OWASP Serverless Top 10
Farewell, WAF – Exploiting SQL Injection from Mutation to Polymorphism
Final Thoughts:
I really enjoyed my first OWASP Application Security conference. In addition to all the technical knowledge gained I always try my best to network and interact with as many people as possible. I can see myself definitely attending again in the future. There was tons of swag being given away, t-shirts, socks, gadgets you name it. I didn’t participate in the CTF because it ran during the same hours as the conference. That was weird because some people solely did the CTF and didn’t see the talks at the conference. I wish it was more SANs like where it’s after hours but such is life.
Best Part:
The best part is literally all the slides, handouts, cheat-sheets are available online! This was so appalling to me I asked them why wasn’t it a locked resource or something password protected. The answer was, “If you can get all the value you need without us teaching it we’re useless” in addition we want you to go back and share the information w/ you teams and colleagues. This is the differentiator OWASP is here to protect the masses and knows we are more effective being collaborative and sharing knowledge. I think that was pretty special! So here you are – the github with all the materials, source code and lecture slides! Cheers.
Lately I’ve been more busy than usual. Getting my business off the ground, work, life and other things. I’ve got to get to all the messages & of course say THANK YOU for all the well wishes and kind words. By now you probably know even with all that going on, my free time is selfishly spent exclusively on myself The course I’m referring to is here Attacking and Defending Active Directory by PentesterAcademy.
Why’d You Even Decide To Take It?
Good question that I feel the need to spend some time on. No exaggeration hundreds of people hit me up asking for advice on certs. Since I’ve never necessarily chased a cert for a new position, promotion or anything like that my stance may not reflect everyone’s exact situation. All my certs came from just wanting to gain the knowledge that the cert provided in my quest to get more diverse and deeper into the different security domains. Of course I try to be targeted going after the most distinguished, the most reputable organizations, but really after completing the course and obtaining the cert is a little sad to me . That’s when the fun stops. I encourage you to just continually just challenge yourself and see if you have a breaking point. There’s always time. Being frustrated at yourself while stuck trying to comprehend something new, that’s complex, is ammo for the brain. I love learning, double points if it’s something totally new. It’s like I can feel the new neural pathways in my head growing. I’m always stuck. I’m always reading things 3 times over but I bet you I won’t continue until I completely absorb what I’m reading. Fight the good fight and be better than you were yesterday. Live by it.
After I passed GREM I was in a somber mood similar to how I feel after every cert when all the happiness wears off. Sometimes as soon as the car ride home a question creeps into my mind and it doesn’t go away. “What’s next?” Giving you guys some context I mainly do Application Security for work. My goal is to be a specialist in a few things and a generalist in many. You know what I don’t have? Red-Team experience (besides the basic definition) and absolutely no knowledge of AD (okay maybe a little). I continued thinking wth how’s that even possible? Then I thought most my hacking is through flag based scenarios and courses. If you’re compromising a user you’re typically exploiting a service, process, or application running in the context of that user. Once I started researching things like lateral movement, exploiting trust relationships between domains, abusing ACLs I was sold. That was my motivation to pay for the course. Oh yeah. It’s was $250 HA! For the value this is EASILY the best course I ever enrolled in .
What Was It Like?
Incredible! Continuing on “value” I received 36 course videos, a copy of the video slides, lab manual, 30 day access to their AWS AD environment, and a sizable zip with all course tools . Each video taught a topic that had questions attached with them to complete in the lab. This is where you really learn! I watched the videos in order learning from the awesome instructor Nikhil Mittal. I was amazed at the comprehensiveness. It was just what a noob like me needed. I watched each video in order. Things like
Lateral Movement
Significant time spent on Domain Enumeration
Bloodhound
Powerview
Mimikatz
Powercat
Local Privilege Escalation
Powerup
Domain Persistence
Understanding Kerberos Environment
Golden Tickets
Silver Tickets
Skeleton Keys
DSRM
Custom SSPs
Admin SD Holder
Abusing ACLS
Domain Privilege Escalation
Kerberos
Constrained & Unconstrained Delegation
DNSAdmins
Enterprise Admins
Cross Forest Trust
krbtgt hash and sid history
Trust ticket
After I watched the videos the second time I started to do all the task in the lab environment. Since I get obsessed with new things I was rushing home to get in my lab environment everyday spending usually from say 5-10 PM everyday practicing. It took about 2 weeks to finish all 23 task. I’m feeling pretty good about things at this point. It’s dumb to feel this way honestly since everything is brand new to me I feel as if my knowledge is procedural. Meaning if I was tossed a curve ball and things deviated slightly from what the course taught I’d easily toast. So I select the positive side and congratulate myself for grinding for going on 1 month straight with the course. Although I studied for over 3 months straight on other certs I still pat myself on the back for a concerted effort on anything. Hey! If you don’t want to clap for yourself, don’t. Now I go back through the entire course seeing if there’s anything that catches me off guard or feels fuzzy and I review it. Let’s do this! #schedulesexam
Exam #1
The exam drops you into an Active Directory environment as a low-privileged user. Your goal is to gain code execution on 5 of the boxes in 24 hours. I started out pretty good gaining 3 users and 2 boxes in 4 hours and then came hell. One part that stank was some of the tools used throughout the course didn’t necessarily work in the exam. In the course we used plenty of PowerView, Mimikatz, and Microsoft’s AD module. Anyway I enumerate the entire domain, ran Bloodhound did everything and couldn’t figure my way forward. I stay up the entire 24 and come up dry. Didn’t bother submitting exam report .
Exam #2 (1 week later)
I spend this week reviewing videos on enumeration. I don’t know why but I felt I missed something simple. I start off the exam and gain all privileges that I left off with. I run Bloodhound again after that checking things like sessions, group membership, outbound ACL control. It’s then that I realize I missed something that wasn’t even hidden . I think back to myself, how could I have missed this it was right there. Then I understand what happened. (always try to think if you come up short on anything – what went wrong and how could I not make that mistake again) So while I was enumerating one of the tools missed it luckily since bloodhound shows similar information I saw it there. I was PUMPED at this point. Not to mention I got this like 30 minutes into the 24 hours. I begin pivoting through the domain gaining users and more boxes. 3 hours later I get Domain Admin dump all the hashes in the domain. Game Over. I create an inter-realm tgt gain code execution on the forest domain controller. Finished the report in a hour, proof read it – sent it off. 8 hours later I get the following
Dedication Wins!!
And a few hours after that I receive the following along with a personal email from the instructor himself. Geeked about that . Again, there’s always time.
Overall this course was amazing. A couple things I loved?
How the exam seemed to stretch you and isn’t easy. You’ll learn a lot of new things in the exam itself.
The responsive and helpfulness of the Active Directory Support Staff. I constantly bothered them with any questions I had. You can’t beat it.
As I’m typing this guess what’s going through my mind. “What’s next?”
Welcome back. What follows is my review of the SANs FOR-610 GIAC Reverse Engineering Malware (GREM) course led by the magnificent instructor Lenny Zeltser. I intend to not only give you a day-by-day breakdown but also my thoughts, mindset and overall sentiment. But before all of that let’s rewind to Jan 2019.
Fresh off of nailing OSCE I was desperately searching for something to latch onto. Could you imagine how big my eyes were when my boss informed me I would be able to take a SANs training. I felt Malware Analysis would compliment my Exploit Development experience in addition make me more valuable at work. Studying is baked into my life I never foresee this ever changing. I love to learn. I love to struggle. The dedication. The disciple. The concerted effort. I love the internal fight I always have with myself. Did I mention this event was in Orlando !? So the day of my flight comes I’m freaking pumped!
3 hour flight was fine landed safely had to strip out the hoodie because it was about 75 degrees & sunny. Checked in received all the course materials and some swag. Grabbed a bite to eat and tried to get a good nights rest. I could barely sleep like a kid on Christmas eve.
This swag is not for sale!
Day 1 – Malware Analysis Fundamentals
If you’ve never (sorry to hear that) been to a SANs training you get a book for each day that you work through. We were provided with 2 VMs one Windows and one REMnux (Lenny created and maintains this it’s a stripped down Ubuntu system pre-loaded with all the tools. Once again if you want a reoccurring theme here it’s he’s awesome & very intelligent) It’s quite intense as you get bombarded with tons of material. After a short introduction he jumps straight into the material. We discussed what malware is & general goals we wish to accomplish with our analysis. Some things that won’t make the sexy list but were important was how to build a analysis lab and how to create and deliver analysis report. Now is when the cool things begin to happen. “Okay class go to malware folder day one and double click on it to begin analyzing your first piece of malware”. I’m like this sounds like a mistake but let’s do it! We got pretty intimate with this piece of malware analyzing it statically dynamically and a tiny bit of code reversing in IDA. This malware had C2 functionality & dropped an encrypted config file on the system along with persistence. Here are some of the tools we’d come to use for today and remaining days
PE Studio
Strings/pestr
Process Hacker
Process Monitor
Process Hacker
Regshot
Wireshark
IDA
x64 debug
fakedns
inetsim
After class let out for that day I grabbed a bite to eat and decided to crash instead of going for one of the evening talks.
Day 2 – Reversing Malicious Code
This day I heard was most feared depending on your background. I actually enjoyed it a lot. The entire day was spent inside IDA and looking through the assembly. Some things we learned this day were
Intel Processor
Registers
Pointers
Memory Addressing
Branching
Calling Conventions
How functions work
The Stack
Control Flow
The 2nd half of the taught us how to recognize common API patterns in Malware. Keyloggers, Downloaders, Droppers ect. There was a tiny section on 64-bit code analysis that we didn’t spend much time on. I didn’t go to any evening talk I crawled in the bed an reviewed the days materials.
Day 3 – Malicious Web and Document Files
This day was my favorite. If yesterday beat you up this day was here to pick you back up. It wasn’t easy it was fun. Since this is a way that most malware is introduced inside organizations I was very interested in this days topics. It didn’t disappoint me! We saw so much naughty malware this day. We started out deobfuscating scripts using browser debuggers, and then using standalone interpreters. Again things are intimate here so you’re learning the internal format down to the nitty gritty of the different document types and the tools you use for analyzing them. There was malicious PDFs, Office Documents (Macros), and RTF documents. What blew my mind this day was the amount of ways that JavaScript can hurt you. And why Windows has binaries to execute JavaScript. I guess being naive I simply thought about JS and what it could do inside the browser. Some tools we used this day were:
js (SpiderMonkey)
pdf-parser
base64dump
oledump
olevba
xor-kpa
rtfdump
After this days class I was excited to see what this NetWars hype was all about. So when the time hit I grabbed my machine & headed down.
The atmosphere was incredible being in a room full of hackers and us going head to head. There’s nothing else like it. There was a guy who had over 400 points when the next highest guy had like 50. They took his name off the board because they said they “Didn’t want to depress us anymore” That guy was insane. I did well actually it was a lot of Linux commands, wireshark analysis. The part that tripped me up was image analysis I struggled with this and lost so much time. I fell from 4th to like 20th by end of first day.
I’m on the board!
Day 4 – In-Depth Malware Analysis
We learned a ton of stuff this day. Recognizing and unpacking malware. Debugging packed malware. The 2nd half of the day we learned and examined a fileless piece of malware. It was wicked! Some topics in the 2nd half of the day we learned were API Hooking and Code Injection. We also spent time learning a little bit of memory forensics. Some tools we used this day were
upx
scdbg
volatility
I decided not go to the 2nd day of netwars. Went on a walk exploring the area where our hotel was and chillen by the pool.
Day 5 – Examining Self-Defending Malware
Awesome day spent learning about malware that fights you back or purposely makes it difficult to analyse. We learned about Process Hollowing and the normal techniques malware authors employ to detect debugging. Some tools used this day were
brxor
bbcrack
floss
scylla
Last day of learning & it’s Friday but who care because I’m spent. Went to the room and crashed.
Day 6 – CTF
Get to class at 8:30 and setup my machine, grab my Redbull and prepare for the fight. There’s about 20 people in the class most of them seemed very intelligent. I knew a few of them were fulltime malware analyst but it’s always fun to see where you end up when competing with others. I enjoy the competition. So the CTF was everyone on their own no teams and top 5 people win coins. We had our own scoring server that updated in real time as you earned points so it was intense. For 5 hours we leveraged what we learned to answer questions about different malware samples. Now when we first started on Monday I had to think about everything because it was all new to me. On this day I remember running to the bathroom and thinking damn! You’re not even thinking about this you’re just doing it. Gave myself a bro hug. When the dust settled I had a coin & it was the perfect icing on the cake.
I win !
Studying For The CERT
When I fly back home I immediately reviewed each book. I don’t create an index but I use the color tab thingy’s to mark sections I think are important and also highlight anything relevant of course. The end result of this madness looks similar to this
This was like retaking the entire course it really helped me reinforce topics I knew I was weak on. It also helped me understand where things were in each book. This is valuable because although the exam is open-book you don’t have much time to search for things. After this was done I got access to the MP3 recordings. I listed to all of them in the car, on the train, at lunch, and evening time this was the only thing I did. I went to sleep to Lenny’s voice and woke up to it. This again was like taking the course again it helps tremendously. In between this time I also took the 2 practice test they give you. I scored a 76 on first one and 84 on the second one. It was great to have an idea of the type of questions. So I originally scheduled the exam for a Saturday. At this point I felt like I took the class 3 times and went thru the books like a zillion times. It was Thursday night. I said forget waiting until Saturday you’re taking this exam tomorrow. Luckily the testing center had availability and I rescheduled it. After I did it I though “You’re a fucking fool” But let’s do this!
The Exam
Wake up gather my materials, buy a Redbull and a water and off I go. I gave myself ample time to get to the testing center absolutely can’t be late. I got there 1 hour early at 8 AM and they allowed me to take the exam immediately. Astonished I couldn’t bring my Redbull in the testing area so I downed it. Testing at a center is so funny because you can’t have anything besides your materials all your belongings get stored in an assigned locker. They made me lift up my hair, pants legs I was like WTF those folks would make awesome TSA agents. The exam was HARD but I felt prepared. I finished it in 1 hour and this is what it ended up as
Let’s Go!
I was soo proud of myself!
And when you get 90 (90.7 counts) or higher you get an invitation to the GIAC Advisory Board.
I encourage you to take the class if you can but only if it’s with Lenny. He answered 1 million and one of my questions & he gives off good vibes.
Take care guys – until next time.
When You Should Be Studying But The Code Calls You.
Prologue
I feel like I should confess. Why? Because I’ve fought with myself for the past hour debating on how to spend this Friday evening. I 100% should be continuing my Malware Analysis Workbook to keep making steady progress in preparation for the exam. GREM should be fun, I’m looking forward to it & blogging about the entire experience. At the moment I really don’t feel like “analyzing” anything. I feel like doing! Attempting to make or break something. The brain wants what the brain wants. Here’s how I rationalize things to myself in these situations. If the thing that I’ve yet to figure out what it is, is in someway somehow related to what I should really be doing then guess what, IT’S FINE. So shoot let’s just start an entirely new series on something I totally just came up with.
I have come to understand that there are patterns in malware. But before that – ask yourself what exactly is malware? Here’s where I think the definition from Lenny’s course rings volumes. It’s incredibly non-technical and very subtle. “Malware is code that is used to perform malicious actions.” This leads you to the realization that it’s not per se the capabilities of the software but the intent of the person using or authoring it. We’ll stop right there because my purpose isn’t malware analysis in this post. (You can wait until I take the certification I”ll be sure to blog about the entire process from the first day of the course through to the cert) It’s about patterns remember. So sir, what are these patterns you speak of?
Software is typically developed in a high level language & compiled into a binary executable. What’s the best language to develop? I always enjoy this debate because I’ve played with most of them & can usually argue either way depending on the side my opponent takes. Truthfully it’s preference & how familiar the developer is with the language. Different jobs are accomplished utilizing different tools. Some popular high-level languages are C/C++, Python, Delphi, and Java. Now I purposely left out scripting and interpreted languages , I include Python just because it’s awesome & you can usually accomplish the same as a compiled language with it. I know Java and the JVM so you don’t have to beat me up. Majority of malware is written in C/C++ you could also use Python using CTypes and then compile into an executable but let’s not account for that. It shouldn’t surprise you that malware needs to accomplish many of the same task as ordinary software. Things like reading and writing to disk, network communication, spawning child processes, allocate dynamic memory, painting to the screen and the list goes on. Now these things individually aren’t particularly nefarious. But in groups you can get an idea of what it’s trying to do.
How do you leverage C to write malware? You leverage this surprisingly unicornishly resource call the Windows API from MSDN. It’s how you programmatically interact with everything in the Windows environment. And if you’re thinking they missed a inch, they didn’t! So much so, there’s a group of folks who scoured the entire API (documented and undocumented), pre-loaded binaries and DLLs and created LOL-Living Off The Land. To say that the API is rich would be an understatement. You can do any and everything with it because what’s the point of have an Operating System if it’s not extensible & account for each and every obscure thing a developer might ever want to do. Poor Microsoft.
Here’s an example, we get a malware sample and during the static analysis we look at it’s imports and see function calls to, GetKeyState– GetAsyncKeyState– SetWindowsHookExA. Very quickly you can get a feel for what it potentially might be maybe without even visiting the documentation. In this case a keylogger potentially. This is what I mean when I mention patterns above. This series will begin with the small building blocks before we go full blown into replicating our own malware. This is what I meant when I said I wanted to “attempt to make or break something”. Again, learning is a contact sport and maybe from failing & being stuck so much I don’t mind it. I haven’t developed professionally in years and if I do anything now Python’s usually my go to. So pure C is a challenge I’m totally up for and I hope by the end I can say I improved. I’ve also never written a piece of malware nor it’s components. I encourage you to fight through the cryptic naming conventions grab a C book if you need and just persevere. The best way is to just start. I spun up a VM specifically for developing, downloaded & installed the latest VisualStudio and off I went.
Process & Thread Enumeration
I figured this was an awesome place to begin because it’s pervasive throughout malware. Possibly for anti-debugging, maybe to send off as information gathering to a C2, or searching for vulnerabilities that may aid in privilege escalation. Whatever the reason it’s widespread, gives me a reason to be writing this and is a friendly introduction to C. I will present the code & then explain it in plain English.
1
#include stdio.h
#include Windows.h
#include TlHelp32.h
#include tchar.h
2
BOOL GetProcessList();
BOOL ListAssociatedThreads(DWORD dwProcessID);
3
int main(void)
{
GetProcessList();
return 0;
}
4
BOOL GetProcessList()
{
PROCESSENTRY32 process_structure;
HANDLE handleToProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 56
if (handleToProcessSnapshot == INVALID_HANDLE_VALUE) {
_tprintf("Failed To Obtain Handle To Process Snapshot");
return FALSE;
}
7
process_structure.dwSize = sizeof(PROCESSENTRY32);
8
if ( !Process32First(handleToProcessSnapshot, &process_structure) ) {
_tprintf("Failed To Get Obtain Data About First Process - Last Error = %d\n", GetLastError());
CloseHandle(handleToProcessSnapshot);
return FALSE;
}
do
{
9
_tprintf("\n\n=====================================================");
_tprintf("\n Process Name: %s", process_structure.szExeFile);
_tprintf("\n Process ID: 0x%08X", process_structure.th32ProcessID);
_tprintf("\n Parent Process ID: 0x%08X", process_structure.th32ParentProcessID);
_tprintf("\n Thread Count: %d\n", process_structure.cntThreads);
10
ListAssociatedThreads(process_structure.th32ProcessID);
_tprintf("\n\n=====================================================");
11
} while ( Process32Next(handleToProcessSnapshot, &process_structure) );
CloseHandle( handleToProcessSnapshot );
return( TRUE );
}
BOOL ListAssociatedThreads( DWORD dwProcessID )
{
THREADENTRY32 thread_structure;
HANDLE handleToThreadSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
if ( handleToThreadSnapshot == INVALID_HANDLE_VALUE ) {
_tprintf("Failed To Obtain Handle To Thread Snapshot");
return FALSE;
}
thread_structure.dwSize = sizeof( THREADENTRY32 );
if ( !Thread32First(handleToThreadSnapshot, &thread_structure) ) {
_tprintf("Failed To Get Obtain Data About First Thread - Last Error = %d\n", GetLastError());
CloseHandle( handleToThreadSnapshot );
return FALSE;
}
DWORD dwThreadCount = 1;
do {
if ( thread_structure.th32OwnerProcessID == dwProcessID ) {
_tprintf("\tThread ID-%d: 0x%08X\n", dwThreadCount, thread_structure.th32ThreadID);
dwThreadCount++;
}
} while ( Thread32Next(handleToThreadSnapshot, &thread_structure) );
}
You may have noticed that I didn’t bother numbering the second function call. That’s because it’s basically identical to the first. I will illustrate the difference when we reach a piece that’s different.
These are the imports. An import is just a library that holds tons of functions for us to call. They only exist to be used by us so long as we import them first. This makes them happy.
Function declarations. These are used to help with compile time error checking. In this case it says we’re creating 2 function, that are of type Boolean(true/false), their respective names, and any arguments they may expect. It’s like an early warning system. For instance, if we began to write the function body (that one takes an argument named dwProcessID) and we forgot to include it, the compiler understands from our declaration it should be there. So it immediately complains, we call ourselves silly – correct it and move on.
Main method. It’s the entry-point for the entire program. Execution starts here you don’t need to think about it. We call our 1st function here and for clarity include the return statement.
This looks similar to the function declaration but without the ; and statements within the { } brackets. Inside these brackets is our function body (the purpose of the function).
I like to think about a Window’s Handle as a pointer to a system resource. It’s a more abstract level for instance if you wanted to read a file, you’d call the appropriate function – obviously passing it amonst other things the filename. You wouldn’t get a file back or an object you’d get back a Handle. Then all further processing you refer to the handle.In our case we make a call to CreateToolhelp32Snapshot this function comes from the tlhelp32.himport. We search MSDN and understand the arguments to pass it, one being TH32CS_SNAPPROCESS along with the 0 argument says, “Give me a handle snapshot of all the running processes on the system at this point in time”.In the 2nd function this call is also made again but this time with a different 1st argument TH32CS_SNAPTHREAD. Appropriately named since the first functions grabs all the processes then we find each processes associated threads.
Error checking. From MSDN we know that if the call to get the process snapshot fails it’ll return that symbolic constant INVALID_HANDLE_VALUE. You could make a call to GetLastError()to further debug.
Important. MSDN told me this. You need to set the size field of the structure before you make the call to the next function. If you don’t do this, the call automatically fails.
Call to Process32First this is how we actually make a call to get the first process. It takes as arguments, the handle and the structure who’s member we had to initialize. We put this call inside an if statement, if we encounter an issue we fall into the error printing statements included in that statement and close the handle so it’s not a stray.
Success! If we reach here it means we’re good – we’ve gotten the data associated with our first process in the snapshot. That structure we set the size on now is populated with the relevant data returned from the function call. Some of those things are the process’s name, ID, it’s parent process ID, thread count and a host of other thing. Break after the call to view all the relevant fields in the structure or just Google it.
Determine which threads belong to this process. As mentioned earlier that function is very similar except it takes a snapshot of all the threads, and then we compare the process ID we pass into the function to the threads parent process ID.
Notice the call to the Process32Next function as the continuing condition for the do-while loop. This function will move to the next process in the snapshot.
Here’s some output:
Except of running the code.
Epilogue
We’re going to build up to something awesome I promise. Obviously this is for educational purposes only. NOTE: If you want to compile the code just remove the numbers I included to explain the different sections.
The design and provisioning of an AD Penetration Testing Lab created to mimic a corporate network. After which, we will simulate an adversary attacking the network using various techniques. Along the way we will spend time getting to know the key concepts on what being in a “Windows Environment” is all about.
This will be broken into multiple post, each leveraging the previous one & building towards the next. Since this is meant to be comprehensive we will spend a significant amount of time (the initial few post) constructing our lab. Once completed, we’ll detail as many Red-Team scenarios, Pentesting Techniques (or whatever we think is relevant/cool) on the network we created. There is no end in sight! Once I’m tapped out I will solicit friends & peers for techniques to illustrate.Did you catch I said we? That means you also. So do leave comments, email me, to keep this series rolling.
Note: In no way do I or ever claim to be an expert in anything. The best way for me to learn is by doing – making mistakes, trying/failing, and just persevering. With that said my connections are experts in the topics I’ll speak about. If I misspeak or underrepresented anything – point it out, I’m totally open to constructive criticism.
WHEN (Does It Start?)
Aren’t you reading this right now? Duh. Just kidding – I plan on staying pretty consistent. Current date is 4/10/2019 19:12 EST. I would like to be done with the standing the lab up and be on to blogging about the scenarios by beginning of summer at the latest.
WHY (Are You Even Doing This?)
Because I Have Unlimited Amounts Of Free Time? This couldn’t be further from the truth !! Let’s see I lead AppSec @ work, am preparing to take GREM, being a husband, being a sibling, being a resource, and being a friend.
Because I Get Paid For This? Yeah Ok! If anyone is paying then the funds have never reached me lol. Truthfully I still remember being broke waking up and not having a single dollar. I do pretty well nowadays and I’ll never let money motivate me! Imagine being purely driven by money, and then there’s no money left. That’s why I’ll never ask for a donation, a beer or anything similar. The best thing you could do for me is leave a comment (to help me make it better for the future) or share it with others. You’ll never see an ad on this blog. I take pride in this and it means a lot to me. One of the most valuable things you provide to someone is your time.
Because Why Not ?! Okay. Now we’re on to something. The thing to love about having a blog is being able to write about whatever the heck you want! If I wanted to fill this blog up with lavender bunny rabbits or Swedish meatballs, who could tell me not too? Nobody. Fortunately for you guys I’m not that weird! I made a promise to myself that I wouldn’t write to fill up the pages. This syndrome affects primarily new bloggers. After receiving warm fuzzy feedback on their blog, the human in them wants to just put out more post, sacrificing quality just to continue getting complimented. Being self aware is an amazing quality to have. So instead of quantity I focus on quality and content.
To Learn Some of you who know the path I took to get where I am currently. I skipped over an important role that most offensive & defensive folks get. System Administration & Networking. All my knowledge in those areas are self taught mostly from books & hacking. It’s almost like my hobby now. Fun fact, for me is that the more unknown something is to me, the more fascinating it is.
To Teach I never want to be the guy that hoards information. Ever. I think it’s disgusting when people are afraid to sharing knowledge for whatever reasons. I also feel like I’m the perfect medium. Almost artistic like a compiler, actually a decompiler. I take some input, perform some translations – modifications and do my best to covey it to you as output in a language that’s most familiar to you. Teaching is loaded because you’re constantly reinforcing what you already knew. So again I win.
To Be The Devil’s Advocate We will look through both lenses, that of the attacker as well as the defender. I think this is necessary for completeness. Just think how wrapped up we get in colors and the box we place ourselves in. “I’m a Red-Teamer – I’m a Blue-Teamer – I’m a Purple-Teamer”. In reality there’s 2 sides, the good guys & the bad guys. If you straddle the line, I consider you to be on the bad side. Simple
Okay. With that out of the way – let’s start Part 1 of the series!
I’ll summarize exactly what we’re going to accomplish in this post first, then illustrate it in detail below.
Summary/Disclaimer
Physical System Requirements
Recommendation & What’s in My Environment
ESXI & Hypervisors
Download, Installation, and Deployment
Active Directory & Windows Domains
Summary/Disclaimer:
*Operation Manage Expectations* – Unfortunately or fortunately every marathon starts with a single step. This is our single step. It sets the stage for all subsequent post in this series. With it being the foundation it’s one of the most important. What happens to anything build upon weak foundation? We actually won’t do any hacking here. It’s meant to understand the core concepts and get a handle on getting your lab stood up. (I can’t hear folks sucking their teeth & heading for the EXIT)
Physical System Requirements:
First off, I don’t want to hear any chuckles, laughs or “bruhhh’s” after I reveal what I’m about to say. I’m running all this on a Dell Inspiron 3874 from back in the day! If you’re a person with a fancy beefy server so be it! More power to you. But if you’re more like me, loving to stretch the limits of anything you can touch on, then you can so-called “ball on a budget”. I laughed one day when I read people speculating on what type of equipment & devices I had in my lab. I was like damn this guy is going to be sadly disappointed when I inform him on the current state of affairs going on here lol. So take what I’m going to list below w/ a grain of salt.
Processor – Depending on the generation I would say you can get away with having an I5 processor. Obviously the newer the better, to handle all the multitasking we’ll be doing and to utilize the advances in technology. Again my old I7 fourth gen does just fine. Ha!
RAM– One of the most important things in the entire stack. This depends on how big you want your environment to be honestly. I would suggest 32GB and a minimum of 16GB. At the moment I have 12GB and I usually never see more than 50% usage at max load having 5 VMs running and all processing something.
Disk– Ideally you have a large SSD 1TB and a small one 128GB to boot from. My setup is slightly different. I had an 256GB SSD laying around and the desktop came with a 1TB HDD. So I boot the OS from the 256GB SSD and use the HDD for the VM Storage. You actually could boot the OS from a flash drive atleast 4GB if you wanted. I did this before and experience random hanging and freezing so that’s why this time around I decided to use a physical drive.
My Powerhouse Dell Inspiron 3874
*IMPORTANT* You’re free to use whatever Hypervisor you want. I tried all the major ones and settled with VMware ESXI as my favorite. If you’re going to follow this post & build your lab accordingly, ESXI only works with Intel NICs. You’ll need to have one to avoid a situation where you have to patch the ISO to inject open-source (shady) drivers (kernel level rootkit?) into your build. Guess what? That desktop had a Realtek NIC. Irony. No worries I solved this easily by buying and installing one of these.
ESXI & Hypervisors:
I’ll spare you from the dictionary definition which you’re welcome to find here on what a Type 1 hypervisor is. Type-1 runs directly on the host machines hardware directly and doesn’t have to load an OS first. In comparison to Type-2 which most people are already familiar with some examples, VirtualBox (yuck) – VMWare Workstation (if you’re fortunate) – VMWare Player (if you’re fortunate & the one of your liking.
So what does this do for us? Great question. When we leverage this type of hypervisor we’re able to utilize all the host machines hardware for our VMs. First thing we do is head over and grab the latest ESXI image from VMWare’s website which at the moment is 6.7. YES – you have to create an account.
Downloading latest ESXI image
The ISO is surprisingly small for the shear amount of magic that it provides. The next thing we want to do is burn the ISO to a USB flash drive. There are a few programs I’ve used for this over the years depending on OS but the most reliable one has to be Rufus. Download and install (or run it).
Insert your USB into the machine and run Rufus. You’ll have to point it to the ESXI ISO, it should detect your USB drive letter automatically. Similar to the following:
Writing ESXI image to flash drive
Installation should be quick, less than a minute. Unfortunately the only confirmation you’ll get from Rufus is a Window’s chime and the progress bar reaching 100% visually but sorry no messagebox popup confirmation.
Rufus finished writing image to flash drive
Now that we have our flash drive ready for battle, we insert it into the system we’re using for our lab. Sometimes you’ll hold F2 on system boot or go into the bios, alter the boot order and select the USB to load prior to the Hard Disk. The process for installing ESXI is very simple just click through honestly. But for the sake of completeness I wanted to detail it thoroughly. The initial load will show you some Linux booting output and switch to the following looking screen:
ESXI loading after booting from USB
Click “Enter” to Continue with the installation when paused at the Compatibility prompt. Then F11 to accept the EULA. Continuing on you’ll be prompted to select the disk you want to install ESXI on. If you’re dropping it on another USB make sure it’s insert it VMWare should recognize it. DON’T OVERWRITE THE USB WITH THE INSTALLATION ON IT MISTAKENLY. No matter what choose the correct disk, if you’re using SSD or HDD just make sure you select the correct one. Remember this ISN’T the place where your VMs will be held, although it’s probably inside the same physical system. In my case for illustration purposes I’m installing on a VM so my disk is labeled as such, and looks like the following. (Multiple disk will be listed if applicable)
Installing ESXI on host disk.
Hit “Enter” to Continue. Select your default keyboard layout Swiss German in my case. JK – I selected “US Default” of course & again “Enter” to Continue. At the next screen you’re prompted for a root password, make it whatever you want so long as you remember it
Selecting root password.
Confirm again your pointing to the correct disk before you begin the partition. (Can you tell I screwed up here before?)
Confirming partition to write to
A completed install looks similar to the following.
Completed ESXI Install.
Great Progress! Remove the installation media and reboot.
To save time here’s the assumptions I will make:
You already have at least one Windows Server edition to be your domain controller. Microsoft provides evaluation copy’s for 180 days that you can download directly from them Server 2016 Download. You’ll have to fill out the form (bogus information) to initiate the download. Get creative
You have at least one client to add to your domain, this could be any Windows OS like 10, 8 (you’re weird), 7 or XP. You can get Windows 10 for free using their Media Creation Tool here. Get creative finding the other editions.
If all went well you’ll boot up to the following:
ESXI Installed & running.
Take note of the IP address ESXI presents to you and browse to the IP. It should be bridged to your LAN. Note: My address is NAT’d since I’m simulating the process on a VM. Not that should have realized that anyway. From this point on you can disconnect the monitor if you like, all the rest of the administration is done through the web application.
Accepting the self signed cert shows the following:
ESXI Web App Login
After logging in your main dashboard provides you a bunch of system information about your physical host and configuration options for your future lab. To deploy a VM first we have to upload an ISO. In ESXI terms the storage that houses the ISO and the resulting VMs is called the datastore. Things are pretty intuitive actually bc the upload process to the datastore is streamlined in the Create/Register VM workflow. Click that button:
ESXI Dashboard
Select “Create a new virtual machine” and click Next as follows:
Deploying a new VM
Give you VM a recognizable name & select the OS version from the dropdown. I named mine DC-2K-16 just to be descriptive. I know it’s going to be my Domain Controller and the OS year. Do whatever makes you happy:
Select VM OS and naming it
You’ll select a datastore, click Next and be presented with the final screen.
VM Provisioning almost complete
Note: We still didn’t upload our ISO to the datastore yet. Now here’s our time. You’re going to click “Browse” from the location row. This will open the datastore browser, there you’ll click “Upload” and then browse your local system to the Windows Server 2016 ISO.
As it’s progressing things should look like this:
Be patient – this is where you get to pause and reflect on your tremendous efforts thus far.
After that finishes, do yourself a favor. Upload your other ISO the Windows 10 machine also. In my case I had a Windows 8.1 32 bit ISO already downloaded so that’s what I used. To simulate a corporate network I’d suggest at least 9 machines. You’re going to upload until your thumbs hurt haha. You’ll also need a PFSense ISO that’ll be our virtual Firewall – you can grab it from here and upload that ISO like the other images. Download your ISO’s from where ever you’re finding them, upload them to the datastore, and repeat. Repeat until you’re close to the setup I have below.
Back at our Dashboard we can now see our VM list has grown from 0 to 1. Clicking on it and selecting Power On. This will load the VM and install Windows like we’ve done a thousand times prior. Repeat the process for all your client machines. This is the part that takes the most time so you can upload a bunch and go to sleep or something.
Note: I am switching from the virtual environment where I was demonstrating the the installation process to my actual ESXI server. The one you laughed about earlier smh.
You should now have the beginnings of an AD Pentesting lab. Mines looks like the following:
Enough VMs to make you jealous
Active Directory & Windows Domains
An Active Directory domain is a collection of objects within a Microsoft Active Directory network. An object can be a single user, a group or it can be a hardware component, such as a computer or printer. Each domain holds a database containing object identity information.
Active Directory domains are grouped in a tree structure; a group of Active Directory trees is known as a forest, which is the highest level of organization within Active Directory. Active Directory domains can have multiple child domains, which in turn can have their own child domains. Authentication within Active Directory works through a transitive trust relationship.
Active Directory domains can be identified using a DNS name, which can be the same as an organization’s public domain name, a sub-domain or an alternate version (which may end in .local). While Group Policy can be applied to an entire domain, it is typical to apply policies to sub-groups of objects known as organizational units (OUs). All object attributes, such as usernames, must be unique within a single domain and, by extension, an OU.
That was a mouthful. Let’s try to explain it in layman’s terms. A domain is simply a group of computers or devices that can be managed centrally. A domain controller is the server edition of Windows in the environment that responds to authentication request from other systems on the domain. This server implements the Active Directory roles/responsibilities, and stores all the user account information for the domain, enforces the security policy, and can run the domain’s DHCP & DNS servers.
Feel free to read, Google and pause if you want to research any of these topics in depth. For now just accept that this is all you need. I’ll give you everything else that’s pertinent exactly when it’s required. This is enough to get us off the ground running.
Here’s what I hope you learned about in this post:
My motivations to start this series & what I hope to accomplish
You can deploy a pretty nice lab for close to nothing if you have the time
How to write ISOs to flash drives if you’ve never done it in the past
How to install an ESXI server
How to install VM OSes inside your ESXI server
A little bit about Active Directory & Window Domains
For the next post I have the following agenda:
Configure our first DC
Promoting the server to be DC
Installing the Active Directory roles & responsibilities
Hello friends! It’s been quite some time since I’ve blogged – shame on me. No excuses as I can’t say I’ve been particularly busy or engaged in anything mind-blowing. The truth is I haven’t had much to write about lately & I’m not going to deliver nonsense because then I would lose your trust. I err on the side of quality vs. quantity as I hope everyone reading this does. My quest to become a better developer is something that has been keeping me occupied lately. To that end, learning MEAN stack development is something I really want to get better at. How can I understand how to break something if I don’t know how to build it? It’s in its infancy but my goal is to build a vulnerable MEAN stack application and release it to Github for everyone to tear it apart and understand how the typical web application vulnerabilities manifest themselves in a MEAN stack application at the code level. No promises but I hope by the end of the year I could deploy the beta version. Enough updates let’s get down to the point of this post.