SlideShare a Scribd company logo

2018 Writing Offensive .Net Tools

Download as PPTX, PDF
A
Alexander Polce Leary

This document discusses the development of offensive .NET tools over the past year. It describes tools created like WheresMyImplant, Tokenvator, and RunDotNetDll32. It also discusses issues with developing in .NET like framework versions, ease of reverse engineering, and AMSI implementation. The goal is to provide a concise 3 sentence summary of the key points.

Technology
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
WRITING OFFENSIVE .NET TOOLS OR HOW I GOT CONTINUOUSLY SIDETRACKED FOR A YEAR
2 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 2 Alexander Polce Leary Name: Alexander Polce Leary Job: Network & Application Pentester @ NetSPI Red Team Lead Twitter: @0xbadjuju Slides: On their way  Blogs: https://blog.netspi.com/author/aleary/ Code: https://github.com/0xbadjuju/
3 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 3 Overview  Why develop in .Net  Tools  WheresMyImplant  Tokenvator  RunDotNetDll32  MonkeyWorks  Issues presented with .Net Toolkits
4 Confidential & Proprietary4 Confidential & Proprietary WHY DEVELOP IN .NET?
5 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 5 Why develop in .Net? Low barrier to entry 1. Familiarity 2. Documentation 3. Resources 4. Visual Studio 5. Reflection (Late Binding)
6 Confidential & Proprietary6 Confidential & Proprietary TOOLING
7 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 7 WheresMyImplant Introduced DerbyCon & ArticCon 2017  C# WMI provider for persistence  Picking up where I left off  Problem: Not useful enough  Solution: Make it not dependent on other toolkits  To Do: Too long to list here https://www.irongeek.com/i.php?page=videos/derbycon7/s01-building-better- backdoors-with-wmi-alexander-leary
8 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 8 WheresMyImplant  First list item – SAM Hash Dumping  Problems:  How to do this?  Requires SYSTEM access  How to get SYSTEM?
9 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 9 Tokenvator  Started as the GetSystem portion  Released June 19  Picked up on Twitter March 18  Before it was released it was more popular than all other projects on my GitHub combined
10 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS Ooo Shiny Goals!?  Disable_Privilege  Remove_Privilege  Nuke_Privileges  Steal_Pipe_Token  Sample_Processes  Sample_Processes_WMI  Find_User_Processes  Find_User_Processes_WMI  List_Filters  List_Filter_Instances  Detach_Filter  Unload_Filter  …  GetSystem Core Goal  GetTrustedInstaller  Steal_Token  ByPassUAC  List_Privileges  Enable_Privilege  WhoAmI  RevertToSelf Stretch Goals? 10
11 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 11
12 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 12 Tokenvator  So what happened?  Ooo shiny factor (Scope Creep)  Caused it to grow in size to be it’s own tool  I Made the mistake of asking for suggestions  Tab completion?  Context Specific Help Menu?  Wiki?
13 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 13 WheresMyImplant  Got SYSTEM  Now where were we?  Adding modules  Problem:  Testing modules in a .Net DLL  There’s no easy way of running methods  Powershell gets tedious
14 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 14 RunDotNetDll32  Simple way to run .Net library  List the Namespaces, Classes, Methods, and Parameters without a reflector  Released April 24
15 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 15 RunDotNetDll32  Kept to a limited scope  ...until I started using it on engagements
16 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 16 RunDotNetDll32  Initial Release  Assembly.LoadFile()  Run into issues with EDR  Keeps the DLL in memory   Second Release  AssemblyName.GetAssemblyName() -> Type.GetType()  Avoids Assembly.LoadFile()  Doesn’t keep the DLL in memory   Third Release  Interactive Mode  Limited utility with one off commands
17 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS WheresMyImplant  Welp that just happened again  Back to building modules 17
18 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  MiniDump  Clipboard Monitoring  KeyLogger  Lateral Movement  WMI Method Execution  WMI Query  SMB Exec (PsExec)  PTH SMB Client - Get, Put, Del, List  PTH SMB Exec (PsExec)  PTH WMI Exec (Win32_Process)  DCOM – DDE, MMC, ShellWindows, ShellBrowserWindow, ShellAutomation, and more  ShellCode Injection  DLL Injection  Reflective PE Injection  Run Command  Run PowerShell  Run XP_CmdShell  C# Empire Agent  WMI Provider  WMI for file storage Starting Point  Injection  Process Hollowing  Thread Hijacking  Credentials  SAM Dump  LSA Secrets  Domain Cached Credentials  Credential Vault + CLI  Wireless Profiles PSK  Collection  Browser History  Memory Scraper New Stuff 18
19 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  Local – Mapped Network Drives  Local – Tasklist  Misc  Base64 Encode File  Generate NTLM Hash  And More  Persistence  Add Local User + Add Local Admin  Add Domain User  Add User to Domain Group  Delete Domain User  Remove Domain User From Group  WMI Self Install  Recon  LDAP Queries  LDAP – Domain Contollers  LDAP – Domain Groups  LDAP – Domain Users  LDAP – Domain Group Members  LDAP – Domain Protected Users  LDAP – Kerberos PreAuth  LDAP – Password Never Expires  LDAP – Password Not Required  LDAP – ServicePrincipalNames  LDAP – LAPS Password  Local – ComputerName  Local – Domain Name  Local – LogonServer  Local – AntiVirus Product  Local – OS Info 19
20 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 20 WheresMyImplant + Tokenvator  Problem: Large Shared Codebase  Maintaining consistency between the two  Did it by hand for too long  Solution:  Git Submodules  Tokenvator is a submodule of WheresMyImplant
21 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 21 MonkeyWorks  This a library of P/Invokes and SMB Client Methods  P/Invokes are organized by library and header file  MonkeyWorks.Unmanaged.Libraries.Advapi32  MonkeyWorks.Unmanaged.Headers.Winnt  SMB Client is organized by method  Port of Invoke-TheHash  MonkeyWorks.SMB.SMB2.SMB2IoctlRequest https://github.com/NetSPI/MonkeyWorks/
22 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  FltUserStructures  MinWinBase  Minidumpapiset  Ntifs  Ntpsapi  Ntsecapi  ProcessThreadsApi  Rpcdce  Subauth  TlHelp32  WinCred  Winbase  Wincon  Wincrypt  Windef  Winnt  Winsvc  Winternl  Winuser  wudfwdm 22  advapi32  crypt32  dbghelp  fltlib  kernel32  ntdll  secur32  user32  vaultcli  wlanapi  wtsapi32
23 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  DCERPCAUTH3  DCERPCAlterContext  DCERPCBind  DCERPCRequest  DCOMRemQueryInterface  DCOMRemRelease  DCOMRemoteCreateInstance  NTLMSSPVerifier  NetBIOSSessionService  SVCCTLSCMCloseServiceHandle  SVCCTLSCMCreateServiceW  SVCCTLSCMDeleteServiceW  SVCCTLSCMOpenSCManagerW  SVCCTLSCMStartServiceW  SMB2CloseRequest  SMB2CreateRequest  SMB2FindFileRequestFile  SMB2GetInfo  SMB2Header  SMB2IoctlRequest  SMB2NTLMSSPAuth  SMB2NTLMSSPNegotiate  SMB2NegotiateProtocolRequest  SMB2ReadRequest  SMB2SessionLogoffRequest  SMB2SessionSetupRequest  SMB2SetInfo  SMB2TreeConnectRequest  SMB2TreeDisconnectRequest  SMB2WriteRequest 23  SMBCloseRequest  SMBHeader  SMBLogoffAndXRequest  SMBNTCreateAndXRequest  SMBNegotiateProtocolRequest  SMBReadAndXRequest  SMBSessionSetupAndXRequest  SMBTreeConnectAndXRequest  SMBTreeDisconnectRequest  SMBWriteAndXRequest
24 Confidential & Proprietary24 Confidential & Proprietary ISSUES WITH .NET
25 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 25 Problems  Framework Versions  Windows 7 – .Net 3.5 – CLR 2.0 (Default)  Windows 10 – CLR 4.0 (Default)  More Framework Problems  .Net Framework 4.8 will be the final “Framework” release  .Net Core will be taking over  Trivial to Reverse Engineer  AMSI inevitability  Seems to be partially implemented in Defender
26 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 26 QUESTIONS? http://slideshare.net/0xbadjuju/ @0xbadjuju https://github.com/0xbadjuju/WheresMyImplant https://github.com/0xbadjuju/Tokenvator https://github.com/0xbadjuju/rundotnetdll32 https://github.com/NetSPI/MonkeyWorks
MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS Empowering enterprises to scale & operationalize their security programs, globally.

More Related Content

PDF
Attacking Oracle with the Metasploit Framework
Chris Gates
 
PDF
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
PDF
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
PDF
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
PDF
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
PPTX
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
PPTX
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
Benjamin Delpy
 
Attacking Oracle with the Metasploit Framework
Chris Gates
 
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
Benjamin Delpy
 

What's hot (20)

PPTX
Pwnstaller
Will Schroeder
 
PPTX
Building an Empire with PowerShell
Will Schroeder
 
PDF
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
PDF
Windows Attacks AT is the new black
Rob Fuller
 
PDF
A Year in the Empire
Will Schroeder
 
PDF
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
PPTX
Bridging the Gap
Will Schroeder
 
PPTX
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
PDF
Puppetconf2016 Puppet on Windows
Nicolas Corrarello
 
PPTX
I Hunt Sys Admins
Will Schroeder
 
PDF
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
PDF
Power on, Powershell
Roo7break
 
PDF
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
PPTX
Adventures in Asymmetric Warfare
Will Schroeder
 
PDF
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon
 
PDF
[UniteKorea2013] Protecting your Android content
William Hugo Yang
 
PPTX
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
 
PPTX
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
PPTX
Injection flaw teaser
NotSoSecure Global Services
 
Pwnstaller
Will Schroeder
 
Building an Empire with PowerShell
Will Schroeder
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Windows Attacks AT is the new black
Rob Fuller
 
A Year in the Empire
Will Schroeder
 
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Bridging the Gap
Will Schroeder
 
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
Puppetconf2016 Puppet on Windows
Nicolas Corrarello
 
I Hunt Sys Admins
Will Schroeder
 
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
Power on, Powershell
Roo7break
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
Adventures in Asymmetric Warfare
Will Schroeder
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon
 
[UniteKorea2013] Protecting your Android content
William Hugo Yang
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
 
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Injection flaw teaser
NotSoSecure Global Services
 
Ad

Similar to 2018 Writing Offensive .Net Tools (20)

PPTX
WMI for Penetration Testers - Arcticcon 2017
Alexander Polce Leary
 
PPT
Windows internals
Piyush Jain
 
PDF
Sandboxie process isolation with kernel hooks
KarlFrank99
 
PPTX
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
PDF
Windows Security Internals 1 / converted Edition James Forshaw
soskoxtamkego
 
PDF
CNIT 126 Ch 11: Malware Behavior
Sam Bowne
 
PDF
Practical Malware Analysis: Ch 11: Malware Behavior
Sam Bowne
 
PDF
CNIT 126 11. Malware Behavior
Sam Bowne
 
PPTX
BSides MCR 2016: From CSV to CMD to qwerty
Jerome Smith
 
PDF
Thick Application Penetration Testing - A Crash Course
NetSPI
 
PDF
The case of the missing file extensions
Pete Beck
 
PDF
Tutorial 37 API Coding
Max Kleiner
 
PPTX
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
 
PPTX
Emerging threats jonkman_sans_cti_summit_2015
Emerging Threats
 
PPTX
You are not_hiding_from_me_.net
Chung Wee Jing
 
PDF
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
PPT
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
PPTX
COM Hijacking Techniques - Derbycon 2019
David Tulis
 
PDF
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat Security Conference
 
PPTX
Advanced Windows Debugging
Bala Subra
 
WMI for Penetration Testers - Arcticcon 2017
Alexander Polce Leary
 
Windows internals
Piyush Jain
 
Sandboxie process isolation with kernel hooks
KarlFrank99
 
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Windows Security Internals 1 / converted Edition James Forshaw
soskoxtamkego
 
CNIT 126 Ch 11: Malware Behavior
Sam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Sam Bowne
 
CNIT 126 11. Malware Behavior
Sam Bowne
 
BSides MCR 2016: From CSV to CMD to qwerty
Jerome Smith
 
Thick Application Penetration Testing - A Crash Course
NetSPI
 
The case of the missing file extensions
Pete Beck
 
Tutorial 37 API Coding
Max Kleiner
 
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
 
Emerging threats jonkman_sans_cti_summit_2015
Emerging Threats
 
You are not_hiding_from_me_.net
Chung Wee Jing
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
COM Hijacking Techniques - Derbycon 2019
David Tulis
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat Security Conference
 
Advanced Windows Debugging
Bala Subra
 
Ad

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Encapsulation theory and applications.pdf
gurumoop
 
Cloud computing and distributed systems.
kkkkkhan
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Spectroscopy.pptx food analysis technology
nawahassan45
 

2018 Writing Offensive .Net Tools

  • 1. WRITING OFFENSIVE .NET TOOLS OR HOW I GOT CONTINUOUSLY SIDETRACKED FOR A YEAR
  • 2. 2 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 2 Alexander Polce Leary Name: Alexander Polce Leary Job: Network & Application Pentester @ NetSPI Red Team Lead Twitter: @0xbadjuju Slides: On their way  Blogs: https://blog.netspi.com/author/aleary/ Code: https://github.com/0xbadjuju/
  • 3. 3 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 3 Overview  Why develop in .Net  Tools  WheresMyImplant  Tokenvator  RunDotNetDll32  MonkeyWorks  Issues presented with .Net Toolkits
  • 4. 4 Confidential & Proprietary4 Confidential & Proprietary WHY DEVELOP IN .NET?
  • 5. 5 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 5 Why develop in .Net? Low barrier to entry 1. Familiarity 2. Documentation 3. Resources 4. Visual Studio 5. Reflection (Late Binding)
  • 6. 6 Confidential & Proprietary6 Confidential & Proprietary TOOLING
  • 7. 7 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 7 WheresMyImplant Introduced DerbyCon & ArticCon 2017  C# WMI provider for persistence  Picking up where I left off  Problem: Not useful enough  Solution: Make it not dependent on other toolkits  To Do: Too long to list here https://www.irongeek.com/i.php?page=videos/derbycon7/s01-building-better- backdoors-with-wmi-alexander-leary
  • 8. 8 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 8 WheresMyImplant  First list item – SAM Hash Dumping  Problems:  How to do this?  Requires SYSTEM access  How to get SYSTEM?
  • 9. 9 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 9 Tokenvator  Started as the GetSystem portion  Released June 19  Picked up on Twitter March 18  Before it was released it was more popular than all other projects on my GitHub combined
  • 10. 10 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS Ooo Shiny Goals!?  Disable_Privilege  Remove_Privilege  Nuke_Privileges  Steal_Pipe_Token  Sample_Processes  Sample_Processes_WMI  Find_User_Processes  Find_User_Processes_WMI  List_Filters  List_Filter_Instances  Detach_Filter  Unload_Filter  …  GetSystem Core Goal  GetTrustedInstaller  Steal_Token  ByPassUAC  List_Privileges  Enable_Privilege  WhoAmI  RevertToSelf Stretch Goals? 10
  • 11. 11 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 11
  • 12. 12 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 12 Tokenvator  So what happened?  Ooo shiny factor (Scope Creep)  Caused it to grow in size to be it’s own tool  I Made the mistake of asking for suggestions  Tab completion?  Context Specific Help Menu?  Wiki?
  • 13. 13 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 13 WheresMyImplant  Got SYSTEM  Now where were we?  Adding modules  Problem:  Testing modules in a .Net DLL  There’s no easy way of running methods  Powershell gets tedious
  • 14. 14 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 14 RunDotNetDll32  Simple way to run .Net library  List the Namespaces, Classes, Methods, and Parameters without a reflector  Released April 24
  • 15. 15 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 15 RunDotNetDll32  Kept to a limited scope  ...until I started using it on engagements
  • 16. 16 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 16 RunDotNetDll32  Initial Release  Assembly.LoadFile()  Run into issues with EDR  Keeps the DLL in memory   Second Release  AssemblyName.GetAssemblyName() -> Type.GetType()  Avoids Assembly.LoadFile()  Doesn’t keep the DLL in memory   Third Release  Interactive Mode  Limited utility with one off commands
  • 17. 17 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS WheresMyImplant  Welp that just happened again  Back to building modules 17
  • 18. 18 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  MiniDump  Clipboard Monitoring  KeyLogger  Lateral Movement  WMI Method Execution  WMI Query  SMB Exec (PsExec)  PTH SMB Client - Get, Put, Del, List  PTH SMB Exec (PsExec)  PTH WMI Exec (Win32_Process)  DCOM – DDE, MMC, ShellWindows, ShellBrowserWindow, ShellAutomation, and more  ShellCode Injection  DLL Injection  Reflective PE Injection  Run Command  Run PowerShell  Run XP_CmdShell  C# Empire Agent  WMI Provider  WMI for file storage Starting Point  Injection  Process Hollowing  Thread Hijacking  Credentials  SAM Dump  LSA Secrets  Domain Cached Credentials  Credential Vault + CLI  Wireless Profiles PSK  Collection  Browser History  Memory Scraper New Stuff 18
  • 19. 19 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  Local – Mapped Network Drives  Local – Tasklist  Misc  Base64 Encode File  Generate NTLM Hash  And More  Persistence  Add Local User + Add Local Admin  Add Domain User  Add User to Domain Group  Delete Domain User  Remove Domain User From Group  WMI Self Install  Recon  LDAP Queries  LDAP – Domain Contollers  LDAP – Domain Groups  LDAP – Domain Users  LDAP – Domain Group Members  LDAP – Domain Protected Users  LDAP – Kerberos PreAuth  LDAP – Password Never Expires  LDAP – Password Not Required  LDAP – ServicePrincipalNames  LDAP – LAPS Password  Local – ComputerName  Local – Domain Name  Local – LogonServer  Local – AntiVirus Product  Local – OS Info 19
  • 20. 20 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 20 WheresMyImplant + Tokenvator  Problem: Large Shared Codebase  Maintaining consistency between the two  Did it by hand for too long  Solution:  Git Submodules  Tokenvator is a submodule of WheresMyImplant
  • 21. 21 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 21 MonkeyWorks  This a library of P/Invokes and SMB Client Methods  P/Invokes are organized by library and header file  MonkeyWorks.Unmanaged.Libraries.Advapi32  MonkeyWorks.Unmanaged.Headers.Winnt  SMB Client is organized by method  Port of Invoke-TheHash  MonkeyWorks.SMB.SMB2.SMB2IoctlRequest https://github.com/NetSPI/MonkeyWorks/
  • 22. 22 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  FltUserStructures  MinWinBase  Minidumpapiset  Ntifs  Ntpsapi  Ntsecapi  ProcessThreadsApi  Rpcdce  Subauth  TlHelp32  WinCred  Winbase  Wincon  Wincrypt  Windef  Winnt  Winsvc  Winternl  Winuser  wudfwdm 22  advapi32  crypt32  dbghelp  fltlib  kernel32  ntdll  secur32  user32  vaultcli  wlanapi  wtsapi32
  • 23. 23 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  DCERPCAUTH3  DCERPCAlterContext  DCERPCBind  DCERPCRequest  DCOMRemQueryInterface  DCOMRemRelease  DCOMRemoteCreateInstance  NTLMSSPVerifier  NetBIOSSessionService  SVCCTLSCMCloseServiceHandle  SVCCTLSCMCreateServiceW  SVCCTLSCMDeleteServiceW  SVCCTLSCMOpenSCManagerW  SVCCTLSCMStartServiceW  SMB2CloseRequest  SMB2CreateRequest  SMB2FindFileRequestFile  SMB2GetInfo  SMB2Header  SMB2IoctlRequest  SMB2NTLMSSPAuth  SMB2NTLMSSPNegotiate  SMB2NegotiateProtocolRequest  SMB2ReadRequest  SMB2SessionLogoffRequest  SMB2SessionSetupRequest  SMB2SetInfo  SMB2TreeConnectRequest  SMB2TreeDisconnectRequest  SMB2WriteRequest 23  SMBCloseRequest  SMBHeader  SMBLogoffAndXRequest  SMBNTCreateAndXRequest  SMBNegotiateProtocolRequest  SMBReadAndXRequest  SMBSessionSetupAndXRequest  SMBTreeConnectAndXRequest  SMBTreeDisconnectRequest  SMBWriteAndXRequest
  • 24. 24 Confidential & Proprietary24 Confidential & Proprietary ISSUES WITH .NET
  • 25. 25 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 25 Problems  Framework Versions  Windows 7 – .Net 3.5 – CLR 2.0 (Default)  Windows 10 – CLR 4.0 (Default)  More Framework Problems  .Net Framework 4.8 will be the final “Framework” release  .Net Core will be taking over  Trivial to Reverse Engineer  AMSI inevitability  Seems to be partially implemented in Defender
  • 26. 26 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 26 QUESTIONS? http://slideshare.net/0xbadjuju/ @0xbadjuju https://github.com/0xbadjuju/WheresMyImplant https://github.com/0xbadjuju/Tokenvator https://github.com/0xbadjuju/rundotnetdll32 https://github.com/NetSPI/MonkeyWorks
  • 27. MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS Empowering enterprises to scale & operationalize their security programs, globally.

Editor's Notes

  • #6: Familiarity – Similar to Java and Powershell Documentation – MSDN is massive Resources - Stack Overflow – I you have a question it’s already been answered somewhere – p/invoke Visual Studio – Seems small but small things like intellisense lower the barrier to entry
  • #8: Reaction was well… Muted
  • #9: How to do this – this is a recurring theme
  • #10: There a people out there that creep on repo’s
  • #11: Reaction was well… Muted
  • #12: I should mention that even my wife is a project manager Well, it turned into a cool project
  • #13: …So why is it it’s own tool?
  • #19: Reaction was well… Muted
  • #20: Reaction was well… Muted
  • #22: Similar to PSReflect Project
  • #23: Reaction was well… Muted
  • #24: Reaction was well… Muted