Will@harmj0y

Veris Group

Wielding a Cortana

$ whoami

• Security researcher and penetration tester for Veris Group

• Co-founder of the Veil-Framework #avlolo www.veil-framework.como Shmoocon ‘14: AV Evasion with the Veil Frameworko co-wrote Veil-Evasion, wrote Veil-Catapult and Veil-

PowerView

• https://github.com/HarmJ0y/

• http://harmj0y.net

tl;dr

• Cortana? wtf

• OK that’s cool, what can I do

• Cortana use cases:o grabcreds.cna - auto hash dumpingo safetynet.cna - saving shellso veil_evasion.cna - #avlol :)o user_hunter.cna - find DAso beacon.cna - graphical beacons*

Cortana? wtf

• Raphael Mudge’s DARPA cyber fast track project

• Allows for the scripting of Armitage and/or Metasploit itselfo Some of this functionality is restricted to Cobalt

Strike - marked by a *

• Doesn’t seem to have publically caught ono Which is dumb, since it’s incredibly useful

Cortana: Why Use It

• Allows for the easy customization of an already existing, powerful tool

• Many standard pentest actions can be automated and manipulated in useful ways

• Lets you minimize the time spent doing repetitive tasks

Cortana Background

• Cortana is a set of extensions to the Sleep language that allows for the control of Armitage/Metasploit

• Sleep = Java-based scripting language heavily inspired by Perl and written by Raphael

o http://sleep.dashnine.org/documentation.htmlo http://www.fastandeasyhacking.com/download/corta

na/cortana_tutorial.pdf

Sleep 101

• “Sleep is primarily a glue language and was designed from the ground up to be embedded in Java applications…[it] brings the power of Perl to the Java platform.”

• Much of the backend of Armitage is actually written in Sleep

https://today.java.net/pub/a/today/2005/07/14/sleep.html

Cortana 101

• Interaction with Metasploit is baked in through utilization of MSF’s RPC interface

• You can send commands to a Meterpreter session, interact with the backend database, launch modules, etc.

• m_cmd($1, “sysinfo”);

• host_info($address);

• exploit("windows/smb/ms08_067_netapi", $addr);

Cortana 101

• Triggers can be set up to asynchronously fire on various actions/events:

o new sessionso meterpreter/shell commandso new hosts/services/routes/etc.

• Lets you perform contextual actions and automate a lot of post-exploitation

Cortana 101

Cortana 101

• The user interface for Armitage can be easily modified:

o new program menuso new meterpreter action menuso changeable host icons

• Lots of examples at:

https://github.com/rsmudge/cortana-scripts

https://github.com/HarmJ0y/cortana

Cortana Use Cases

Use Case #1

• On each meterpreter session that comes in, we always like to grab all credentials we can from the box:

o hashdumpo run mimikatzo see if a user we want is logged in

• ASPNET? Guest? SUPPORT_*? no thx

How Can Cortana Help?

• grabcreds.cnao on session_sync { … }o m_cmd($1, "wdigest");o on meterpreter_wdigest { … }

• On each host that comes in:o run hashdump and mimikatzo filter out account names we don’t wanto dump creds to the databaseo check users found against a designated listo announce results on the team chat*

grabcreds.cna

Use Case #2

• Losing shells sucks

• Our standard procedure is to inject additional sessions (or beacons*) for fallback in case our main working session dieso and not to just one C2 server

● This becomes tedious when you’re dealing with A LOT of shells and various handlers

How Can Cortana Help?

• safetynet.cnao on session_sync { … }o launch("post", …)

• automatically runs a payload inject module against each hosto injects a “safetynet” payload

• Problem:o we want to inject two payloads, one from the existing

process context and one into explorer.exe

Sidenote: smart_payload_inject.rb

• Existing payload_inject.rb only allows for injection against predefined process IDs

• smart_migrate.rb allows for “smart” migration into explorer.exe

• Combine the two -> easy injection into a specific process name, explorer.exe default

safetynet.cna - interface

Adding From Existing Listeners*

Custom Safetynet Payloads

Installing Safetynets

Use Case #3

• Armitage/Cobalt Strike are great, but sometimes we want specific gui modifications

• Say we want to have a Cobalt Strike workspace containing only hosts with active beacons*

*http://www.advancedpentest.com/help-beacon

How Can Cortana Help?

• We can grab the active beacon listo @beacons = call('beacon.list');

• We can setup ‘heartbeat’ callbacks to periodically perform actionso on heartbeat_5s {…}

• We can modify our gui in useful wayso filter host_image { …change a host’s gui image …}o bind Ctrl+B { open_beacon_browser(); }

Graphical Beacons

Use Case #4

• psexec in Metasploit is great, but the standard exe templates = no good

• Veil-Evasion does a great job at generating AV-evading executables :)

• But generating each time, reconfiguring paths, etc. is a pain

How Can Cortana Help?

• veil_evasion.cnao filter user_launch { … }o exec(SYSTEM COMMAND);

• Invokes Veil-Evasion to generate a binary, intercepts psexec calls in Armitage, and substitutes this in for a custom EXE

• No more caught payloads :)

Sidenote: swing >_<

• Exposed Cortana functions are great, but didn’t quite cover exactly what we wanted

• Luckily, Cortana scripts can integrate various java/swing GUI manipulations

• And guess what? Armitage has examples. And it’s BSD-licensed

Armitage Backend

Armitage Backend

veil_evasion.cna - Main Menu

veil_evasion.cna - Main Interface

Use case #5

• What’s the usual goal for a smash-and-grab pentest?

• Find out who the domain admins are

• Find where they’re logged into

• Find a set of credentials that gives us SYSTEM on their box

• psexec, pop a box, mimikatz, profit

Situational Awareness 101

• Manual process on the domain side:

• net user /domain

• net group /domain

• net view

• net view \\<hostname>

• net sessions \\<hostname>

Netview.exe

• Rub Fuller (@mubix) released a tool at Derbycon 2012 called Netview, which “enumerates systems using WinAPI calls”

• Can find hosts, shares, and logged on users across a network

• Two API calls really interest us:o NetServerEnum – enumerate (from the DC) domain

systems of a certain typeo NetWkstaUserEnum – get users logged onto a

system

Metasploit

• Most of this type of functionality already exists in Metasploit (of course):

• smb_enumusers_domaino uses NetWkstaUserEnum (through railgun) to get

users logged into a particular machine

• local_admin_search_enumo checks a range of IPs to see if the current user has

admin access, and grabs the logged in users with NetWkstaUserEnum as well

Metasploit

• enum_domain_group_userso runs “net groups GROUP /domain” against a host

and parses the results

• computer_browser_discoveryo queries the default domain controller for all hosts of

a particular type using NetServerEnum

user_hunter.rb

• New Metasploit module, drawing from existing functionality

• Takes a username, userlist, or domain group to query against the local DC

• Takes a host list, or runs “net view” to try to enumerate all machines on a domain

user_hunter.rb

• Runs NetWkstaUserEnum against each target host to determine the users logged into the machine

• Compares this against the target user list, throwing a specific user.hunter note into the database when it finds a match

• point -> click -> be told where DA’s are

How Can Cortana Help?

• We can interact fully with the msf databaseo @notes = call("db.notes")["notes"];

• We can setup ‘heartbeat’ callbacks to periodically perform actionso on heartbeat_5s {…}

• We can modify our gui in useful wayso filter host_image { …change a host’s gui image …}

Cortana – user_hunter.cna

• Cortana script that periodically polls the MSF database for our user.hunter notes

• Modifies the host icons of any systems with found userso i.e. any systems where a DA is logged into!

• Also adds an option to launch the user_hunter.rb module from any meterpreter session

Demo

Recap

• Cortana is awesome, contribute!o https://github.com/rsmudge/cortana-scriptso https://github.com/HarmJ0y/cortana

• Many standard assessment actions can be automated and manipulated in useful ways

• The less time you spend doing repetitive actions = the more you can spend pwning the client

Questions?

Will

@harmj0y

will@harmj0y.net

harmj0y on Freenode - #veil and #armitage

Get the cortana pack-

https://github.com/HarmJ0y/cortana