Advanced Pen Testing Techniques-DNS-WMI
1 like760 views
This document discusses advanced penetration testing techniques using reverse DNS and Windows Management Instrumentation (WMI). It describes how attackers can use DNS tunneling to sneak data in and out of an organization by encapsulating it within DNS packets. It also explains how WMI events on Windows systems can be used to persistently run agents and payloads even after reboots by binding event filters and consumers. Detection techniques involving WMI monitoring are also presented. The document aims to educate penetration testers and security professionals about these stealthy techniques being used by cybercriminals.
Advanced Pen Testing Techniques-DNS-WMI
- 1. Advanced Penetration Testing Techniques Using Reverse DNS and WMI
- 2. “…unique, blind spots that cybercriminals are exploiting…” Alberto Soliño Technical Program Management Ty Miller Director, Threat Intelligence
- 3. AGENDA Evolving DNS Channel Agent's Persistency Using WMI Events Windows WMI Terminology
- 4. Sneaks data in and out of an organization within DNS packets • Force internal user machines to: o Encapsulate data within DNS packets o Send them out via internal DNS servers o Then through DMZ DNS relays, and o Out to a fake DNS server on the internet o Data is then returned in the DNS responses WHAT IS DNS TUNNELING?
- 5. DNS Tunneling can bypass common security controls: • Outbound firewall policies • Web Proxies • Authentication • Web Filtering WHY DO WE NEED IT?
- 6. DNS Tunneling can bypass common security controls: • Reverse Connections Blocked o Connect from Target • Bind Port Blocked o Connect to Target • HTTP(S) Tunneling Blocked • DNS Tunneling bypasses these controls WHEN SHOULD WE USE IT?
- 7. FAKE DNS SERVER! ! ATTACKER! ! VICTIM! ! DNS RELAY! ! AUTHENTICATED ! PROXY SERVER WITH WEB FILTERING! ! INTERNAL DNS SERVER! !
- 8. FAKE DNS SERVER! ! AUTHENTICATED ! PROXY SERVER WITH WEB FILTERING! ! INTERNAL DNS SERVER! ! AGENT! ! ATTACKER! ! VICTIM! ! DNS RELAY! !
- 9. FAKE DNS SERVER! ! AUTHENTICATED ! PROXY SERVER WITH WEB FILTERING! ! INTERNAL DNS SERVER! ! AGENT! ! ATTACKER! ! VICTIM! ! DNS RELAY! !
- 10. FAKE DNS SERVER! ! DNS RELAY! ! AUTHENTICATED ! PROXY SERVER WITH WEB FILTERING! ! INTERNAL DNS SERVER! ! AGENT! ! ATTACKER! ! VICTIM! !
- 11. WINDOWS WMI TERMINOLOGY Windows Management Instrumentation • Microsoft’s enterprise management framework • Available since NT4, default since Windows XP • Allows admin to administer all server’s configuration remotely o protocols: DCOM and WinRM • Accessible programmatically or by utilities o wmic, powershell, etc • Managed components are represented as WMI objects o Win32_Process, Win32_Service • Objects are queried using a SQL like language called WQL o SELECT ProcessId, Name from Win32_Process • Actions are represented as WMI object’s methods o Win32_Process.Create()
- 12. WINDOWS WMI–CORE IMPACT PRO Modules • WMI Shell • Install Agent using WMI • Create persisted agent using WMI • Remove WMI persistence Programmatically (Python) • Impacket (https://github.com/CoreSecurity/impacket)
- 13. ABOUT WMI EVENTS “They start when the computer starts, and they stop when the computer shuts down. When the permanent event consumer is running, nothing indicates that it is actually doing so. There is no special process visible in Task Manager, and no graphical user interface is exposed. Permanent event consumers are part of WMI and therefore they require no special setup, nor do they require special installation. They are used by many management applications and therefore you can have one or more permanent event consumers already setup and responding to events on your computer.” (*) *http://blogs.technet.com/b/heyscriptingguy/archive/2010/12/06/learn-how-to-use-vbscript-to-create-permanent-wmi-events.aspx
- 14. HOW TO BUILD A PERMANMENT EVENT Create a WMI __EventFilter or __IntervalTimerInstruction instance (the condition): • Example 1: trigger this event when ‘calc.exe’ is executed • Example 2: trigger this event every 10 seconds Create a WMI __EventConsumer instance (what to do) • Example1: ActiveScriptEventConsumer will execute VBScript that creates a file in ‘c:’ Create a WMI __FilterToConsumerBinding instance (the bind) • Will bind the two created instances. Whenever the __EventFilter / __IntervalTimerInstruction is trigged, the EventConsumer will be called
- 15. TESTING AND DETECTION Testing • Core Impact Pro 2015 R1 agent’s persistency supports WMI Detection • Manually using wmic.exe: o wmic.exe /namespace:rootsubscription PATH __EventConsumer get /format:list o wmic.exe /namespace:rootsubscription PATH __EventFilter get /format:list o wmic.exe /namespace:rootsubscription PATH __TimerInstruction get /format:list o wmic.exe /namespace:rootsubscription PATH __FilterToConsumerBinding get / format:list • Some AVs starting to monitor these WMI objects • Mark Russinovich’s AutoRuns for Windows
- 16. Thank you! Now, it’s time for Q&A.
- 17. TY MILLER. @tyronmiller @coresecurity I blog.coresecurity.com I www.coresecurity.com ALBERTO SOLIÑO. @agsolino ty.miller@threatintelligence.com I www.threatintelligence.com
- 18. • Multi-Threat Surface Investigation • Commercial-Grade Framework • Custom Reports & Results • Security Awareness & Evidence • Remediation Validation
- 19. WEB Test for OWASP Top 10 web application vulnerabilities WI-FI Fake access point functionality for man-in-the-middle attacks MOBILE Mobile device exploitation modules including Android Agent ENDPOINT Test end-user awareness for phishing and social engineering MULTI-VECTOR ATTACKS NETWORK Pivot across networks using vulnerable systems