Exploit Development Tips, Tricks, Tools and Resources

[Here’s the second part of our series of Pen Test Tips that were featured on the Ultimate SANS Pen Test Poster.  Last week, we featured some network Pen Test Tips by John Strand.  This time around, Mr. Steve Sims shares some useful insights and resources on exploit development. –Ed.]

By Steve Sims
Methodology Tips

Recon – When fuzzing applications and kernels for potential vulnerabilities, monitoring is key in successfully identifying what caused a crash to occur. Failure to properly set up monitoring may render an otherwise exploitable condition to go unnoticed.
Scanning – When bug hunting, fuzzing is one of your best friends. It is critical to spend the upfront time understanding the protocol or file format you are testing. Even more important is the ability to apply proper code coverage analysis to determine if you are reaching the code segments desired. It is unlikely that you will find bugs in code that you do not execute during testing.
Exploitation – On modern operating systems there are many exploit mitigation controls with the goal of thwarting your attacks. An attacker must be armed with many techniques to defeat or circumvent these controls. Familiarity with Return Oriented Programming (ROP), C/C++ programming, and tools to navigate the complexities of the Windows heap and its allocators are essential.
Post-Exploitation – Once an exploitable condition is identified and a working exploit created, efforts must be made to make the exploit as stable as possible. Exploits that only work a fraction of the time are more likely to cause application and system crashes. Exploits should be responsibly disclosed to the appropriate vendor so that a patch is made available to protect their customers.
Notable Techniques – When abusing the Structured Exception Handling (SEH) service on Windows, almost all Windows modules (DLL’s), and many 3rd party modules are compiled with the SafeSEH protection. Try scanning the memory outside of the loaded modules for a Pop/Pop/Ret sequence up near Kernel memory at 0x7ffbXXXX. At this location it is often an NLS table mapping derived from ANSI/OEM code page data, as per Microsoft. You can most often find a code sequence here to bypass SafeSEH.

Must-Have Tools

IDA* – A commercial software disassembler and debugger with a great amount of community support and free plugins, perfect for vulnerability hunting, code coverage testing, and exploit development. IDA provides many different views of a disassembled binary and the ability to graph out how and when functions are called in complex applications, as well as countless other features. By Hex-Rays  http://www.hex-rays.com/index.shtml
WinDbg – A free Kernel mode (Ring 0) debugger allowing you to analyze the Windows Kernel and hunt for vulnerabilities. WinDbg comes with the Windows SDK or WDK and can help you determine the cause of the infamous Blue Screen of Death! By Microsoft http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx
Immunity Debugger – A free User mode (Ring 3) debugger with great community support. Immunity Debugger has many freely available Python plugins to aide you in bug hunting and exploit writing, as well as an easy-to-navigate GUI interface. By Immunity http://www.immunityinc.com/products-immdbg.shtml
Mona.py – A free exploit development plugin for Immunity Debugger and WinDbg written by corelanc0d3r and the corelan team. Mona has pretty much everything you need to find ROP gadgets, trampolines, unprotected modules, and many easy commands to navigate Windows memory. By Peter Van Eeckhoutte & Corelan Team  http://redmine.corelan.be/projects/mona
BinDiff* – A commercial software diffing plugin to IDA. As patches are made to software it can be difficult to determine what code was modified. BinDiff, created by Zynamics and owned by Google, can help with pointing out code changes related to a patched vulnerability. By Google/Zynamics   http://www.zynamics.com/bindiff.html
Sulley – A free fuzzing framework for Windows and Linux. Sulley allows you to easily write up a protocol template which you can use to select various fields and conditions for fuzzing, all while providing monitoring and automation. By Pedram Amini & Aaron Portnoy  https://github.com/OpenRCE/sulley
GDB – A free command line *NIX application debugger. GDB provides you with the ability to debug and disassemble a program with easy to use commands and a lot of community support. GDB can debug applications written in C, C++, Objective C, Pascal, and some other languages. By GNU Project  http://www.gnu.org/software/gdb
VMware* – A commercial virtualization product with many diverse applications. VMware Workstation, Fusion for Mac, and the freely available VMware Player allow you to take snapshots of an operating system in any state desired. The tool helps greatly with exploit development and bug hunting by quickly allowing you to revert to a known good state just before a crash occurs.  By VMWare  http://www.vmware.com

* These tools are available on a commercial (cost) basis.
Great Resources for Staying Current

Exploit Database – http://www.exploit-db.com
Daily Dave Mailing List – http://seclists.org/dailydave
Corelan Team – http://www.corelan.be
Twitter – @exploitdb | @daveaitel | @corelanc0d3r

Associated SANS Courses

SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking www.sans.org/sec660
SEC760: Advanced Exploit Development www.sans.org/sec760

–Stephen Sims

Network Pen Testing Tips, Tricks, Tools and Resources

[Editor’s Note: For this year’s SANS Pen Test Poster, we asked some of the best pen testers and instructors in the industry to share their wisdom in a series of tips, tricks, tools, and useful resources for various kinds of penetration tests.  We got some great input on network pen testing, web app pen testing, mobile pen testing, exploit writing, and wireless pen testing.  We’ll be posting these really useful recommendations as a series of blog posts over the next few weeks.  The first in the series is this set of recommendations from the amazing John Strand of Black Hills Information Security. –Ed.]

By John Strand

Methodology

  • Recon – This is the one area most people skip over or put the least amount of effort into. Don’t. Without question, this is the most important phase. If done correctly, it is possible to gain access to a network without using a single exploit. For example, take a look at the modules available in recon- ng. Some of our favorites are the pwnlist modules and namechk.
  • Scanning – Try to be as accurate as possible. If your scanner supports a scan dedicated to PCI, don’t use it. PCI scans have a very high false positive rate. If the project is a Crystal-box or Grey-box test, look into credentialed scanning. It will reduce the false positives, and the scan will run much faster. As an added bonus, it will also dramatically reduce the likelihood of crashing a system. Finally, always review the low and medium risk findings. These lower-risk findings may add up and result in significant potential for attack.
  • Exploitation – Always explicitly set the TARGET in Metasploit, as it will reduce the likelihood of a target crash and will increase the likelihood of successful exploitation. Get very comfortable with the Social Engineering Toolkit. Learn how to bypass AV, see the reference section below.
  • Post-Exploitation – After you have access to a target system, put the exploits away. Dump the passwords, crack the passwords. Get familiar with mimikatz. Get familiar with passing the hash. Get familiar with password spraying. Pivot mercilessly.
  • Reporting – Tell a narrative and demonstrate the risk through screenshots and videos. Never, ever, copy and paste results from an automated tool.

Must-Have Tools

Software

Hardware

Teensy* – Emulate keyboards to take over systems.
Pwnplug* – Small, portable, powerful covert pen testing platform.
* These tools are available on a commercial (cost) basis.

Resources for Staying Current

http://www.pauldotcom.com
http://pen-testing.sans.org/blog/
http://www.darknet.org.uk/
http://computer-forensics.sans.org/blog/
http://www.darkoperator.com/
http://lanmaster53.com/
http://blog.commandlinekungfu.com/
http://www.pentest-standard.org/
https://community.rapid7.com/community/metasploit/blog
http://www.tenable.com/blog 

Associated SANS Courses

SEC504: Hacker Techniques, Exploits, and Incident Handling www.sans.org/sec504
SEC560: Network Penetration Testing and Ethical Hacking www.sans.org/sec560

–John Strand
@strandjs 

I don’t normally create new accounts on Windows systems, but when I do I use a long passphrase

[Editor’s Note: Here’s a nice little trick by Tim Medin on setting long Windows account passwords at the command line. Very useful stuff, especially in environments which mandate and enforce passwords longer than 14 characters.  –Ed.]

by Tim Medin

Ever have a Meterpreter session with shell access on a Windows system and try to create an account with long password/passphase? We have this same problem with any sort of command injection or a netcat shell. It goes something like this…

C:\> net user tim 15CharacterP@ss /add
The password entered is longer than 14 characters.  Computers
with Windows prior to Windows 2000 will not be able to use
this account. Do you want to continue this operation? (Y/N) [Y]:

At this point you can’t hit Y to continue, due to limits of the shell itself. NOOO!!! Are we stuck with a password with 14 (or fewer) characters? Even worse, if the system is config’ed with a policy requiring passwords to be longer, you are kinda outta luck with setting up a password at the command line.  This can’t be! There must be a way.

The “net user” command help (net user /?) and online documentation reveal nothing helpful (Gee… that’s a huge shocker). But, we won’t give up that easily. Let’s try a few things. First, let’s try to pipe the “Y” response into the command.

C:\> echo Y | net user tim 15CharacterP@ss /add
The password entered is longer than 14 characters.  Computers
with Windows prior to Windows 2000 will not be able to use
this account. Do you want to continue this operation? (Y/N) [Y]:

No luck, but maybe we can pipe the password into the command.

C:\> echo 15CharacterP@ss | net user tim /add
Type a password for the user:
Retype the password to confirm:
The command completed successfully.

At first it appears this works, but it actually creates the user with a blank password. NOT GOOD!

Let’s try something else. Maybe there is a hidden option.

C:\> net user tim 15CharacterP@ss /add /y
The command completed successfully.

Nailed it! There is a hidden option with the “net use” command, and several of the other “net” command options that change things.  A “/y” will accept the prompt and we can use a long password/passphrase.  Nice!

We can now create passwords that are impossible to store in the terrible LM format. These long passpharases should be very hard to crack.

Passwords are dead! All hail passphrases!

–Tim Medin
Counter Hack
@timmedin

Join me for the brand new SEC561: Intense Hands-on Pen Testing Skill Development in Orlando April 5-14
or
SEC560: Network Penetration Testing and Ethical Hacking in San Francisco Dec 16-21.