Tag: Red Team

Attacking Password Managers: KeePass

In this two-part blog post, Ill be taking a look into attacks password managers to improve my knowledge on techniques which can be used against them. To start with, I will take a look at local password managers by looking at the sort of techniques which can be used against KeePass. The second post covers some attacks against LastPass.

Ill start by covering some generic attacks against password managers (Both local and cloud-based), before moving onto KeePass-specific attacks.

  1. Generic Password Manager Attacks
    1. Monitoring/Grabbing the Clipboard contents
    2. Keylogging
  2. KeePass Attacks
  3. KeeThief
    1. Finding KeePass files
    2. Stealing the master password from memory
    3. Backdooring the trigger system
    4. Cracking A KeePass file
    5. Additional Persistence Methods

Generic Password Manager Attacks

Monitoring/Grabbing the Clipboard contents

We can do this within Cobalt Strike using the clipboard command. This is only a point-in-time grab of the data, and will not actively monitor it!

We can also use Mimikatz to do this with misc::clip, but this is way overkill for most situations

Keylogging

If we are feeling patient (or want to coerce the target into opening their password manager), we can grab the master password by keylogging their system to capture the main password.

KeePass Attacks

Now lets look into some KeePass-specific attacks. This was all performed against v2.52 which was the latest at the time! This was installed with all the default settings, and the TopSecretStuff.kdbx file is using a password of ‘infected‘.

And lets add a password or 2 to our KeePass database

KeeThief

KeeThief is another great tool from GhostPack. It was originally released 7 years ago and targets .NET 3.5, which meant I had to install the framework on my test system. For real-world usage, make sure you adapt this to your target environment!

I then had to combine the Microsoft.Diagnostics.Runtime.dll DLL into the KeeThief executable and make the entry point public to avoid getting an “Invoke_3 on EntryPoint failed” error in Cobalt Strike. To do this, I used ILMerge which was downloaded as part of building KeeThief. Using the csproj file from KeeThief for guidance, the final command was:

PATH_TO_KEETHIEF\KeeTheft\packages\ILMerge.2.14.1208\tools>ILMerge.exe /target:winexe /targetplatform:"v2,C:\Windows\Microsoft.NET\Framework\v2.0.50727" /target:exe /out:test.exe "PATH_TO_KEETHIEF\bin\Release\KeeTheft.exe" "PATH_TO_KEETHIEF\bin\Release\Microsoft.Diagnostics.Runtime.dll"

I also did the same for the associated PowerShell file which this should produce, using the command:

PATH_TO_KEETHIEF\PowerShell>powershell -exec bypass -File Out-CompressedDll.ps1 KeeThief.exe KeeThief.ps1

The commands are covered in the README of KeeThief

Finding KeePass files

Using the pre-built KeePassConfig.ps1 file, we can hunt in a system for KeePass XML files. These XML files contain the configuration data for KeePass which we will modify later on as part of an attack!

Stealing the master password from memory

We can now simply run the KeeThief tool against our system, and so long as KeePass is running, we can steal the plaintext master password. Notably KeePass just needs to be running on the system and be unlocked with the main password – a pretty typical arrangement for most users who use KeePass!

We can also do this using the KeeThief.ps1 script if we want to throw it back to 2017, with the Find-KeePassDatabaseKey cmdlet.

From this point, we could steal the TopSecretStuff.kdbx file, and interact with it away from the host.

Backdooring the trigger system

As mentioned in an older Mandiant report, KeePass includes a ‘trigger’ system which can be exploited. In short, this trigger system allows specific actions or commands to be run when specific criteria are met in KeePass. Mandiant’s example is to dump out the KeePass DB whenever KeePass is opened. On the 23rd January 2023, CVE-2023-24055 was released for this, but is disputed by KeePass.

As covered in the comments of KeePassConfig.ps1, we need to pipe the output of Find-KeePassConfig into Get-KeePassConfigTrigger for it to work.

This didn’t work with me, after a bit of debugging I believe the structure of the KeePass config has likely changed since the tool was created, or the tool had revealed a false positive file. Below is an example of the error within the Add-KeePassConfigTrigger function

After manually creating a Trigger on the target system, the C:\Program Files\KeePass Password Safe 2\KeePass.config.xml file had not changed and was essentially an empty XML file

<?xml version="1.0" encoding="utf-8"?>
<Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Meta>
   <PreferUserConfiguration>true</PreferUserConfiguration>
  </Meta>
</Configuration>

This would explain why PowerShell was throwing an error, as there were no XML elements for it to add nodes onto! With a bit of hunting, I found the file at %APPDATA%/Roaming/KeePass/KeePass.config.xml

We can now pipe this file path into Find-KeePassConfig and then into Add-KeePassConfigTrigger like so:

"C:\Users\vagrant\AppData\Roaming\KeePass\KeePass.config.xml" | Find-KeePassConfig | Add-KeePassConfigTrigger -Verbose

We can confirm this by looking at the KeePass.config.xml file after running the command

Before we restart KeePass, note that there are no files in the %APPDATA%/Roaming/KeePass folder

After signing into KeePass, a file named TopSecretStuff.csv is dropped into the folder

Which we can open to reveal our passwords

We can then remove our configuration change by running Remove-KeePassConfigTrigger

Cracking A KeePass file

The above attacks have relied on us compromising a system where the user is either actively using KeePass, or will routinely use it. What if we come across a user which only infrequently uses it, or find a *.kdbx file on a share?

For this, we can use the keepass2john executable from John The Ripper – which is built into Kali. If you are using a different OS, then Harmj0y has made a Python script to do this!

We now have our hash:

Looking at the example hashes from Hashcat (Mode 13400), we can see that we will need to remove the database name ‘TopSecretStuff‘ from the beginning of this string

We can then run Hashcat using mode 13400 to try and crack this

hashcat.exe -a 0 pass.txt rockyou.txt -m 13400

Additional Persistence Methods

Something which I read about, but didn’t attempt was obtaining persistence via the KeePass plugins, which is covered by @two06 on Medium, they also have another post which covers another way of abusing the trigger system to execute arbitrary code, in a similar way to KeeThief’s persistence method.

In my second post in this series, I will take a look at LastPass as an example of a cloud/browser-based password manager!

SharpRDPHijack: RDP Session Hijacking

Overview

SharpRDPHijack by Bohops is a tool which has sat in my Twitter likes for far, far too long! In this article I am going to dig into SharpRDPHijack, as well as some alternate tooling which can also be used to perform RDP session hijacking. This technique is covered by MITRE ATT&CK under T1563.002.

For this demo, I will have 2 computers. A domain controller (DC) and an Exchange box (Exchange). I will assume we have local admin on the Exchange machine. This is a little contrived but I will treat the Exchange server as a standard server – rather than the privileged server that it is. I also enabled RDP (and NLA) via a GPO on all devices on my domain.

SharpRDPHijack

Initially, I will connect from DC to Exchange, showing what would happen when a highly privileged (and a bit thick) user RDP’s onto a lower tier machine. Attack paths like this will always be of interest to an attacker, as it allows them to gain additional privilege in the target environment.

After disconnecting our RDP session on DC, we can now see we have a disconnected session under ID 3 on the Exchange server, by using the command SharpRDPHijack.exe --tsquery=localhost

Using SharpRDPHijack.exe --session=3 we will be put into a GUI where we can interact with the session created by the Administrator account on the Exchange server. We can then pull up a command prompt to verify we are now acting as the Domain Admin account on Exchange. As part of this process, SharpRDPHijack will attempt to elevate to SYSTEM privilege.

After logging out of that session, we can no longer see session 3 in the output from SharpRDPHijack.

But if we opt to disconnect instead, the session will unsurprisingly remain in a disconnected state – so we can reuse it.

TSCon

Instead of using attacker tooling, we could use the tscon executable to interact with a disconnected session. To do this, we can query for sessions using the query user command

From this point, you need to obtain SYSTEM privileges, where the command (tscon 3 /dest:console) can be run. Two common ways of achieving this would be either PSExec.exe -s cmd.exe or creating a service to spawn cmd.exe with your chosen arguments and session IDs.

In my lab, I was unable to get this technique to spawn a GUI RDP session. I suspect this is due to it already running via Guacamole & RDP, which interfered with the technique. Using VMs on my laptop, this technique worked successfully.

Mimikatz

Unsurprisingly, Mimikatz has a module for interacting with Terminal Services. We can query the sessions with ts::sessions. In reality, using Mimikatz for this purpose is seriously overkill, but I guess its another handy feature of Mimikatz nonetheless! I have recently dug into some other functions of Mimikatz, and discovered some new modules I wasn’t previously aware of.

We can then connect to this disconnected session with ts::remote /id:3.

Remember that this requires SYSTEM privileges, so you will need to run token::elevate before this.

Detections

Looking around, there aren’t many articles which cover how to detect this behaviour. Kevin Beaumont recommends creating a GPO to log off all disconnected sessions, but it might well have a pretty hefty real-world impact and wont be popular, therefore a detective measure would likely be better.

The two main event IDs are 4778 which tracks when a disconnected session is resumed, and 4779 which logs when a session is disconnected. Using these two in isolation would likely be hard to build a reliable detection, as there isn’t enough detail within them, as shown below.

I would say that the best detection for this is likely via a series of different detections as part of a defense-in-depth methodology. The process of exploiting RDP session hijacking has several steps, which introduces potential places where an attacker could be caught:

  1. Escalating to SYSTEM privilege (i.e. Interacting with LSASS, PSExec, service creation)
  2. Using several brittle detections for command line arguments, such as the Sigma rule for detecting TSCon being used. Whilst these may not be very high fidelity, they might be able to add some value for detection.
  3. Detect users querying for disconnected RDP sessions, as that should be fairly unusual behaviour.

Summary

RDP session hijacking is a really interesting technique for privilege escalation without purely leveraging Active Directory (i.e. Kerberoasting or abusing ACLs). I think SharpRDPHijack fills a neat gap between the very noisy Mimikatz and the likely better signatured tscon.exe executable.

Whilst it is a somewhat noisy tool, its definitely one I will be adding to my toolset for future use!

Certified Red Team Operator (CRTO) Review

Intro

Having recently passed the CRTO course by RastaMouse, I felt it was only right to write a little review on it. Typically, the course has changed slightly since I sat it, with the labs now using Elastic Security in place of Splunk. Aside from this I believe the course is practically the same.

TL:DR

Go and buy it now! It is the best qualification out there if you are looking to break into offensive security. The labs & coursework are great and will teach you a range of techniques used in real-world red teaming.

In the past few days since writing this, CRTO has been listed as a ‘Trusted Training Partner’, showing how good this course is.

Labs

The course works via Apache Guacamole, in a very similar way to ImmersiveLabs and a few other online training providers. All of the labs can be spun up on request, but you only have a limited amount of lab time.

I went for the 120 hour option, which I felt was just right, though I would recommend reading through the material first and then approaching the labs. This will reduce the amount of time the labs are running whilst you try to understand the more complex attacks (cough cough resourcebased constrained delegation).

I believe CRTO is the cheapest way you can legitimately use Cobalt Strike, without having to pass the licencing checks or use a cracked version. This is really handy as Cobalt Strike is used so widely for red teaming.

Lab Issues

Running the labs through a browser does have its limitations, with no drag-and-drop and less keyboard shortcuts available. I would say this is preferable to having to create your own VMs and VPN into a network, as you can begin learning straight away.

The labs I had came with a version of Office and Splunk, both of which reverted to a trial mode after a few uses, whilst there was a fix for that issue, it did feel a little hacky to me.

Importantly, these are dedicated labs and you wont accidentally get any spoilers from other users. As with most online labs, it is worth giving them 5-10 minutes to fully load before beginning any testing or activity.

Learning Material

As mentioned previously, the content of this course is EXCELLENT. It covers a wide range of different attacks, as well as covering off the paperwork & reporting side of red teaming. The material is written in the style of a technical blog post, with code snippets throughout. Handily there are some videos included for the more complicated techniques, which helped to solidify my understanding. There are also hints and tips for OPSEC considerations, which is a nice touch.

A significant part of the material focuses on Active Directory-based attacks, such as kerberoasting or AD permission abuse. There are also sections on attacking SQL Server and GPOs which I personally found really interesting.

Exam

The exam gives you 48 hours of lab time over a span of 4 days, with a mock network for you to break into. This basically the same format as the labs, with the ability to reset your Kali and Windows boxes.

Scoring is structured like a CTF, where you only have to obtain a flag on the machine to prove you have compromised it. There are 8 machines, and you need to obtain 6 flags to pass. Importantly there is no reporting requirements, which makes this exam feel far less stressful than OSCP.

The exam can be booked at really short notice – I booked mine with only 6 hours of notice. When your exam starts, you will have another course option within SnapLabs which contains the lab environment.

One thing which surprised me was the smaller toolset available in the exam – something which I hadn’t seen anyone else mention in the other reviews. Effectively you have a subset of the tools from the training labs, which required me to think on my feet a bit! Whilst it pointed out some gaps in my knowledge, I think it would have been handy to have the full toolset for the exam, or at least have knowledge of which tools wouldn’t be provided in the exam.

The exam lab was also really well laid out, allowing you to easily regain your access without having to recompromise every machine in turn. There are some quirks with the exam labs though, with one of my flags failing to generate. This can be resolved by chatting to RastaMouse on the dedicated Discord channel.

CRTO vs OSCP

OSCP has been a fairly ubiquitous qualification within cyber security for a number of years. I would personally say that OSCP does have its place, and is still worth the effort if you are wanting to pursue a penetration testing route. Despite that, I feel that there is more to be gained from completing CRTO and paying for VIP+ on HackTheBox, than shelling out for OSCP.

OSCP was a great learning experience for me, but most of the machines were severely outdated and used exploits from the 00’s. In comparison, CRTO uses Windows 10/Server 2016+ everywhere, making it far more representative of the real-world. The majority of CRTO is misconfiguration-based, whereas OSCP is vulnerability-based.

The exam experience for CRTO was also significantly better, with far less lead time and a less stringent approach. There is no proctoring or report writing, and the 4 day timespan means you can still have a life whilst taking the test.

Improvements

I would change very little about the CRTO course personally. I think VPN access would be handy so that you can bring your own tooling, but it isn’t a big issue at all.

Update 23/2/22: RastaMouse confirmed that the lack of VPN access is a requirement of the licencing with Cobalt Strike (HelpSystems). Therefore the lack of VPN makes total sense in order to get a CS licence in this training!

As mentioned about 10 times a day on Discord, RTO 2.0 would be the main improvement I can think of. A course focused more on AV/EDR evasion or simply more advanced/complex attacks would be a great addition to this course. I think a greater focus on maintaining long term access to the target network would also be a nice improvement, as CRTO only briefly touched on it.

I also think a course which required you to use Splunk/Elastic in combination with Cobalt Strike would be quite interesting and could be aimed more at threat hunters or SOC analysts.

Overall

As you have probably guessed, I really enjoyed this course. I am not aware of any other courses which offer the combination of great labs and content like CRTO does. I think it is a great introduction into red teaming methodology, and will help many people to up their skills.

Below are some other blog posts I found handy before taking my exam, which are also worth checking out: