Category Archives: Pentest

Ingress Tool Transfer (MITRE ATT&CK T1105)

Attackers may need to download some tools to perform different actions on victim machine. Mostly, these can be some tools to help scan networks to move laterally, or make the attacker permanent on the victim machine. Whatever itself, there are many ways to do it and all of them are very easy to perform.

Here, my victim machine is a Windows 10 client, and I assume that we already exploited the victim’s machine and have a reverse connection. Now, I will create a web server on the attacker machine, so I can download from my web server in victim’s machine. (These works will be a demo for T1105)

Then I copied putty.exe to transfer to the victim. I am checking whether the web server is working or not;

Ingress File Transfer with Powershell

The first way to transfer file we try is powershell. Let’s execute the command below in our C&C terminal to download putty.exe in the victim’s machine and check the file;

“iwr” in the command stands for Invoke-Web Request which is a command in MS Powershell utility. Used to send HTTP and HTTPS request to a web page or a web service.

Ingress File Transfer with Certutil

Certutil.exe is a native Windows binary that is part of the certificate services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains (Src: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil).

Attackers uses certutil.exe as a memory-only downloader via built-in -ping argument (Founded by researcher Casey Smith (@SubTee)).

Let’s type the command on C&C connection in the victim’s machine;

This command will download putty.exe that we located in our web server at the beginning.

IoC for Detecting Downloading via Certutil

Everyone can create their own IoC to detect this method, according to their own structure. This IoC looks for -ping and -urlcache arguments in certutil.exe (Src: fireeye.com).

THIS
processequalcertutil.exe
AND
processCmdLinecontainshttp:
AND
processCmdLinecontains-urlcache
AND
processCmdLinematches(weather\.gov|http://localhost/|noaa\.gov|\.crl)

Ingress File Transfer with wget

wget is a package supports downloading files via HTTP, HTTPS, FTP and FTPS. It can be used easily in scripts since it has a nonn-interactive structure. With using C&C connection, let’s run the command below on the victim’s machine;

TOR As A SOCKS Proxy

Almost all applications and web sites are trying to learn who we are and what we are looking for on the internet. These informations are being used for many different reasons like advertisements and to detect malicious attempts. Again, for many reasons, it is very important to surf internet anonymously. Tor is used for anonymous surfing all over the world. It is free to install and use in both Windows, Linux and OS X operating systems. 

It is very easy to install Tor and use as a browser in operating systems, however it will not be enough to use it as a browser only especially you want to use some other applications anonymously. For using other applications and command line tools anonymously, Tor SOCKS proxy needs to be installed. 

For installation, we need to add related software repositories, so we edit the sources.list file;

        # vim /etc/apt/sources.list

Then, we are adding the line below, to the bottom of the sources.list file. 

        deb http://deb.torproject.org/torproject.org wheezy main

We need to introduce the software repository’s key (gpg key) to the system;
# gpg –keyserver keys.gnupg.net –recv 886DDD89        # gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add –

Now, start Tor and check the service if it is running;
 # /etc/init.d/tor start        # service tor status

If the Tor service is running successfully, you need to see output as above. We need to enter one more command to start Tor service automatically after rebooting the machine. 
 # update-rc.d tor enable

After you enter this command, you can test it with rebooting the system. After reboot, check the status of the service;
 # service tor status

Now, this means we can use Tor for all applications that are supporting SOCKS proxy. For test, you can use Firefox. Change the proxy settings as localhost:9050 and check your IP address. Tor is using 9050 as default.