Tag: registry

Alternative psexec: no wmi, services or mof needed

For me the fun in hacking still remains in finding new ways to achieve the same goal. On one of those days with splendid sun and people having their beer, I thought it would be a good idea to start researching how to get a remote Windows shell without using any of the more  well known methods and preferably from a Linux host. To set the proper context I’m talking about the situation where you have gathered local administrative credentials and want to start gathering shells all over the network. I started to research the current methods and see how they worked the way they did. Then I did a lot of searching around and also some basic process monitoring stuff. This eventually gave me what I wanted a new?? way to start remote processes without using any of the known methods BUT unfortunately it has one possible drawback: it is not instant like the other well known methods.  Depending on your goal and time this can be as much a drawback as it can be an advantage. The actual method IS NOT really new it’s just used in a remote way. Let’s do a quick recap of the ‘well known’ methods I’m referring to, to make sure we are on the same level:

psexec
This is probably the most well known one and implemented in a dozen ways. The basics revolve around uploading an executable and creating a service that starts the executable. It’s efficient, reliable and thoroughly tested. It works from Windows and Linux hosts.

Windows Management Instrumentation (WMI)
This one is often used from visual basic script files or powershell scripts to exeute processes remotely. As far as I can tell it uses some undocumented dcerpc functions. It works very nice from Windows host, but I haven’t seen a Linux implementation yet. There is a libwmi library but I think it only does WMI queries, please correct me if I’m wrong.

Windows Remote Management / Shell (WinRM / WinRS)
This one is pretty neat since it uses the mechanisms provided by Windows to give you a direct shell without uploading anything or making use of temporary files. There is a nice write up about it on the rapid7 website.

Managed Object Format (MOF)
This one seems to have come into existing with Stuxnet and is pretty sexy. All you have to do is drop a correctly prepared file and Windows will execute it.

Looking at all these methods there are a two things that caught my attention:

  • DCE/RPC is pretty powerful
  • Eventually you want to upload your own executable (ex: meterpreter)

If you are impatient you can skip to the source of the POC on github, if you want to know more keep reading.

Continue reading “Alternative psexec: no wmi, services or mof needed”

vbscript based interactive registry viewer

Sometimes (don’t ask me why) when you are hacking some terminal server it happens that an administrator has disabled regedit.exe and reg.exe, but forgot about visual basic script (vbs). I know, I know everyone is all busy with powershell, but trust me sometimes vbs is the right script for the job. So I hacked together a quick script to view the registry which you can find on my github:

https://github.com/DiabloHorn/DiabloHorn/blob/master/misc/regview.vbs

It should be pretty self-explanatory, but just in case here is some example usage:

C:\>cscript regview.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[] help

help - displays this help
cd  - change to that key
back - go to parent/previous key
ls - list current subkeys
lsv - list current key values
use - root key number to use
        0 - HKEY_CLASSES_ROOT
        1 - HKEY_CURRENT_USER
        2 - HKEY_LOCAL_MACHINE
        3 - HKEY_USERS
        4 - HKEY_CURRENT_CONFIG

[] use
key number: 1
[HKEY_CURRENT_USER\] cd software\vmware, inc.
[HKEY_CURRENT_USER\software\vmware, inc.] ls
VMware Tools
[HKEY_CURRENT_USER\software\vmware, inc.] cd vmware tools
[HKEY_CURRENT_USER\software\vmware, inc.\vmware tools] lsv
[HKEY_CURRENT_USER\software\vmware, inc.\vmware tools] ls
Hgfs Usability
[HKEY_CURRENT_USER\software\vmware, inc.\vmware tools] cd hgfs usability
[HKEY_CURRENT_USER\software\vmware, inc.\vmware tools\hgfs usability] lsv
Entry Name: mappedDriveLetter
        Data Type: String
        Value: z
[HKEY_CURRENT_USER\software\vmware, inc.\vmware tools\hgfs usability] back
[HKEY_CURRENT_USER\software\vmware, inc.\vmware tools] back
[HKEY_CURRENT_USER\software\vmware, inc.] exit

I know it lacks a search function, I’ll see if I get around to implement it any time soon. A script to change values is a whole other story though and something I don’t really need that often. If you encounter bugs, do fix them :)

InternetQueryOption, INTERNET_OPTION_USER_AGENT – Replacement

This is a clear case of …. uhmm got no clue. All I know is that I’ve tried in quite a few different ways to use the InternetQueryOption API function to retrieve the default User Agent and all have failed. The internet contains posts about other people also not being able to retrieve the User Agent…so I got really frustrated. Finally decided to just retrieve the User Agent the old fashioned way, by directly talking to the registry. So here is a quick function to do that:


/*
 Returns a pointer to the useragent string.
 Return NULL if something goes wrong.
 do NOT forget to free it!
*/
char *getUA(){
 LONG res;
 HKEY regopen;
 char *ua;
 DWORD type;
 DWORD size = 80;

 ua = (char *)malloc(80);
 SecureZeroMemory(ua,80);
 res = RegOpenKeyEx(HKEY_CURRENT_USER, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"),0,KEY_QUERY_VALUE,&regopen);
 if(res == ERROR_SUCCESS){
 res = RegQueryValueEx(regopen,TEXT("User Agent"),0,&type,(BYTE *)ua,&size);
 if(res == ERROR_SUCCESS){
 RegCloseKey(regopen);
 return ua;
 }
 }
 free(ua);
 return NULL;
}