Better Web-Pentesting in Windows with AHK

(It's a repost from  https://www.acunetix.com/blog/web-security-zone/better-web-pentesting-in-windows-with-ahk/)

Recently, I have moved to Malta. It’s quite hot here, but as I’m from colder country, I like it very much. Actually, I’m obsessed with everything hot, including hotkeys!

Every pentester / researcher / bugbounter / etc has their own approach to doing things in their own work environment. So in this article I’m not looking to give exact solutions, but the aim is to share some ideas (which I found useful), so you can have a fresh look at your approach and push your imagination in this area.

Windows is not a very popular OS for pentesters due to many reasons. Sometimes however we need to use it (at least on a virtual machine). I have been a pentester for 8 years and pentested many “windows-only” applications, I remember that pain, I even got used to it… But, nowadays, everything is not so bad and hacky.

Today I want to discuss AutoHotKey. This is an old tool and, I’m sure, many of you use it for some kind of automations. I suggest to look at it as a tool for pentesters.

Basics

AHK – a small tool which can set global hotkeys and perform a lot of actions in OS. Actually, it has its own scripting language, and, if you have enough knowledge (and patience), you can do whatever you want.
I will not explain the syntax of the scripts (there is better doc about it here), but I’ll give you a bunch of examples.

So, the basic idea of AHK is quite simple: In scripts you set global hotkeys and once you press one of them, AHK will make the necessary action. All you need to do is install AHK, create your scripts and run them.

We all use many programs at once, but we need to use ALT+TAB to switch between them, it could be worse if you use multiple-desktop.
Using next script you can focus on a necessary program (or run it, if it’s closed), even if you are on another desktop, just by pressing Shift+Ctrl+F4 (+ – Shift, ^ – Ctrl)

+^F4::
SetTitleMatchMode 2
IfWinExist Sublime Text
WinActivate, Sublime Text
else
run "C:\Program Files\Sublime Text 3\sublime_text.exe"
return

+^F5::
IfWinExist Google Chrome
WinActivate, Google Chrome
else
run "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
return

Rebinding

For researching/pentesting something related to web, you need to have all popular browsers at your hands. But it’s such a pain that they have different or lack of hotkeys.

For example, by clicking a hotkey (Ctrl+Tab) I can cycle through the last used tabs (not just next or previous tabs). It works out of the box for Firefox, but for Chrome you need an extension (CLUT: Cycle Last Used Tabs, for example). However even with the extension, you cannot bind Ctrl+Tab for this operation, because you cannot rebind Chrome’s hotkeys.

With AHK , you can easily achieve this. Firstly, AHK gives us an opportunity to set global hotkeys for specific applications. Secondly, we can “rebind” hotkeys. Here, only for Chrome, when we press Ctrl+Tab, AHK intercepts it and sends Alt+W into Chrome (! – Alt), so our extension shows us a last used tab.

#IfWinActive ahk_exe chrome.exe
^Tab::
Send, !w
return
#IfWinActive

Hotstrings

Also, AHK supports hotstrings. What is it? When we input a specific consequence of symbols anywhere in Windows, AHK replaces it with whatever you want.

Typical example: Wherever I input two symbols “a” and “@“, they will be replaced with my email.

 :*:a@::agrrrdog@gmail.com

Here are some cases which I found useful.

When I pentested Windows-only applications with fat clients, it was annoying to input credentials again and again, especially, if it has “several layers of protection” or if you need to test multiple roles.
Here is a solution. Create a script which you use only during a project (with AHK you can run or stop as many ahk-scripts as you want at any time) with necessary credentials.

:*:!t1::testAccount :*:!p1::VeryLoooooongP4ssword :*:!t2::adminTestAccount :*:!p2::p4ssw0rd


 

Now, you can input them fast without using a text-document and clipboard 🙂
We still do a lot of web hacking manually, therefore, we can set hotstrings for most useful things, which we enter again and again.

Here are some self-explaining examples (here I use % just to make string more unique):

::%lh::localhost
::%lhh::http://localhost
:*:%hs::https://
::%d.c::document.cookie
::%d.d::document.domain
::%js::javascript:
:*:%c.l::console.log('');{Left 3}
::%alrt::https://yourserver.com/xss_payload.js
::%man::¯\_(ツ)_/¯

But we can improve it. For example, we can set our favourite payloads and also add random parts to them, so it will be easier to track input/output down in proxy. Wherever we print %xss1, it will be replaced with “<svg/onload=alert(17384)> you see, lol?

:?*:%xss1::
Random, rand, 1, 99999
SendInput "<svg/onload=alert(%rand%)>
return

Or with our DNS/HTTP connection-checker:

::%xgl::
Random, rand, 1, 99999
SendInput http://x%rand%.yourserver.here/poc
return

Encode-everywhere

When pentesting or researching something, we often work with strings and their encoding, modifications. We have some tools which help us (like HackBar addon for browsers) or use online resources. What if we can make it (semi-)global? For example, we select a string in any application, press a hotkey and get its base64-(de/en)coded version? Or md5-hash of it? Or any other mutation?

To be honest, the AHK’s scripting language doesn’t look friendly to me, so the idea is to use “normal” language, such as python. I found several projects which try to join AHK and Python, but it looks like all of them are forgotten.

So, we use “a universal” way of calling a program from AHK and getting results from it:

!F10::
SendInput {Ctrl down}c{Ctrl up}
RunWait %ComSpec% /c ""python" "converter.py" "urldec" "%Clipboard%" > "%A_Temp%\tmp1.txt"",,HIDE
FileRead result, %A_Temp%\tmp1.txt
sleep, 100
Clipboard := result
SendInput {Ctrl down}v{Ctrl up}
return

Yep, it looks awful: We run new cmd (not just python) to be able to hide the “black window”, we get selected text using clipboard and get results from a file(1). However, it works pretty well and fast. So we select and copy text, press ALT+F10 and the script base64-decodes the text and replaces the selected one.

But if you set a lot of global-hotkeys, it could be hard to remember them and to use fast. So we can create a menu with internal hotkeys. As our selection may contain special symbols or to be multiline, it’s better to pass it using an additional file. Also, we can put all similar things into one function.

RunProgram(command)
{
SendInput {Ctrl down}c{Ctrl up}
;sleep, 200 ; it added some stability for one of my laptops
FileAppend, %Clipboard%, %A_Temp%\tmp_in.txt
RunWait %ComSpec% /c ""python" "C:\path_to_script\kostyli.py" "%command%" ",,HIDE
FileRead, Clipboard, %A_Temp%\tmp_out.txt
;sleep, 100 ; it added some stability for one of my laptops
SendInput {Ctrl down}v{Ctrl up}
FileDelete, %A_Temp%\tmp_in.txt
FileDelete, %A_Temp%\tmp_out.txt
}

Menu, EncoderMenu, Add, &Base64 Encode, B64EncHandler
Menu, EncoderMenu, Add, B&ase64 Decode, B64DecHandler
Menu, EncoderMenu, Add, &URL Encode, UrlEncHandler
Menu, EncoderMenu, Add, U&rl Decode, UrlDecHandler
return

B64EncHandler:
RunProgram("b64enc")
return

#c::Menu, EncoderMenu, Show

Here we define a menu and set various handlers for it. The approach is the same: select text, press `Win+C` and press a button of appropriate encoder/decoder (marked by &).

Some tips

• Be careful with global hotkeys (which you set not only for one/group application), because you can “override” some useful hotkeys of app.
• Hotstrings don’t work so well in smart text-editors (like Sublime or VS Code), because AHK just send keys instead of you, so autocompletion and similar features of a text editor come into play.
• Be careful when you use SendInput if you have several keyboard layouts in OS.
• AHK is quite a reliable tool, but sometimes it doesn’t work so fast and it’s hard to debug. So, keep things simple.
• You can set a hotkey to reload the script which is very useful during development (!^+R::Reload).
• AHK allows you to find the elements of a window and makes actions with them (click, input text). So you can set hotkeys even if an application doesn’t have them. Java Swing application is not supported by default, but by using Java Access Bridge and this library (https://github.com/Elgin1/Java-Access-Bridge-for-AHK) we can archive it. 

Conclusion

In the beginning of the article I wrote about “hacky-way”… ok. AHK is a totally hacky solution, but it works!

What about other similar tools? Similar tools of course exist and exist in other OS. They have some additional features or limits. For example, python package keyboard or pyautogui which work for Linux and Windows.

You may have a look at some final examples of AHK at my repository.

Universal way to bypass Group Policy (SRP) by Limited User

(It's the post from July 2011)

What is it? Group policy is a powerful feature of Windows OS.
From wiki: “Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment“

For example, it can block users’ access to Regedit or IE proxy changing. So it is additional limits for users, besides file system and other permissions. One of the main parts of Group Policy is represented by Software Restriction Policy (SRP). Administrator can set a little list of software which can be run by limited user with SRP. Therefore, SRP can level up security of whole system by restricting user’s rights.

How does it work? 

When a user launches a process it’s the parent process that checks SRP to see if the execution of the child should be allowed or blocked. The parent process uses NtQueryValueKey to query the Registry value HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled, which if present and non-zero indicates that SRP is turned on.

How can we bypass it? 

There are few different ways. Their main idea is that SRP check is situated in user space. A parent process is owned by a limited user. Therefore, a user can bypass SRP by different memory manipulations.

Attack!

Marc Russinovich posted a great tool – Gpdisable and a good explanation of SRP on his blog. Gpdisable is now unavailable, but it can be found in Internet Gpdisable uses dll-injection techniques, to inject into a parent process memory. Then “it fools the SRP code by returning an error value”, when SRP tries to query TransparentEnabled. Therefore, a parent process can run any other process.

Problem. 

Gpdisable consists of 2 files – gpdisable.exe and gpdisable.dll. gpdisable.exe – inject DLL into process. gpdisable.dll – DLL for bypassing SRP. But in real life, there is a problem - to inject gpdisable.dll. Because in a good restricted system a user has access to run only software from white list. So you should run gpdisable.exe, but you don’t have right to do it.

Real Attack!

When I read about binary planting, I’ve got an idea how we can inject gpdisable.dll in process. It’s simple – dll-hijacking. But almost all big software (like MS Word, Excel and Notepad :) doesn’t have such vulnerabilities. That’s bad. But if we use "advanced" dll-hijacking (COM server-based binary planting), we can do it almost of all software. I won’t retell an idea of such binary planting, but you can get it from Acros Security Blog.

Steps to bypass SRP for XP:

• rename gpdisable.dll to deskpan.dll;
• create a new folder and name it as files.{42071714-76d4-11d1-8b24-00a0c9068ff3};
• place deskpan.dll to the new folder;
• open the folder;
• create a new rich text document in the folder;
• double-click the rich-text document.
• Wordpad runs with gpdisable.dll
• Bypassed :) We can run any process.

There are similar steps for Windows Vista/7 and others. In addition, all that steps we can do from “Open” or “Save As” dialogue, that can be useful for Citrix systems.

Thanks to Ryan Sears.
And thank you, for your attention. Alexey Tyurin

NetBIOS spoofing for attacks on browser

(It's the post from January 2012)
Sometime ago during pentest NetBIOS protocol got my attention. Especially, NetBIOS naming and its co-work with DNS.
NetBIOS is an old protocol, distributed world-wide, but it doesn’t have many security mechanisms. And I think that many interesting things are born in different technologies’ interception. So I started a little research and I want to show some results of it.

NetBIOS Intro

When I got into the NetBIOS-protocol, I’ve got an idea to create a Metasploit module to perform NBNS-spoofing, but Tim Medin passes ahead of me :) Almost a year ago, he created that module (auxiliary/spoof/nbns/nbns_response). In addition, he wrote a great post about using of NBNS-spoofing for NTLM-relay attack. A bit later I’ll add his trick to SMBRelay Bible, if he accepts it :)
Then I tried to improve his ideas…

Old Tricks 

Tim wrote two interesting details.
The first is a sequence of resolution IP-addresses in Windows OS:
1) local hosts file - C:\Windows\System32\drivers\etc\hosts
2) DNS
3) NetBIOS Name Service

Secondly, all modern browsers have “intelligent address bar”. This bar is used as address bar and as a search bar at the same time. When a user enters a word in it, a browser tries to access a host with such name and only then it tries to search this word.
For example, if I enter “dsecrg” in address bar of my browser, it tries to get IP-address of “dsecrg” by DNS, then by NetBIOS Name Service and after all “dsecrg” is gone to default search engine.

Therefore, we can use a NBNS-spoofing attack and send reply with our IP-address to user’s browser, when it tries to resolve “dsecrg” by NBNS. Then user’s browser connects to our web-server.

New Tricks

But let’s go forward. As we can see, if Windows can’t perform IP-resolution via DNS, it tries NBNS.
And what will be if we try to connect to aaa.google.com?

There is analogue situation. DNS is the first, NBNS is the second… And we can spoof Internet addresses! So, there we have that NBNS-spoofing is analogue to DNS-spoofing.

Is NBNS-spoofing attack better than DNS-spoofing?
No, it is not. Because NBNS-spoofing attack has some rough limitations:
1) It works only in local networks
2) It has hostname length limitation (15 characters)
3) It can spoof only hostnames which DNS can’t resolve. But we can bypass this limitation, if we can make DoS attack on DNS server.

By the way, NBNS-spoofing attack can be very useful in some situations. The main plus of this attack is that it doesn’t send any illegal traffic. DNS-spoofing or arp-poisoning are “aggressive” attacks and perform much “bad” traffic. So, it’s harder to detect NBNS-spoofing attack by IPS/IDS systems. In addition, it can be useful when DNSSEC is used in a network.

Ok, but what can we gain with NBNS-spoofing’s limitations?
Yes, we can spoof only hostname which it can’t find via DNS (without DoS of DNS server), but we can spoof subdomains! And it is enough for us.
There is a list, what we can do, if we can spoof subdomain of attacking domain and “redirect” user to our web-server.

1) Stole session cookie
Cookies can be set to all subdomains of a domain (domain=.foo.com;). So if we spoof a subdomain of a domain, browser sends us a victim’s session cookies.
Therefore, if a cookie is set without a domain-field (such situation is very often), Internet Explorer sets them to a domain and all its subdomains. But, by RFC, IE should set it only to current domain. (Researched by d0znpp)
As we can see, we can steal cookies very often. 

2) Session Fixation
Same Origin Policies set an interesting exception to cross domain interaction rules. Subdomain can set (and rewrite) a cookie of domain. For example, aaa.google.com can set cookie to google.com, but couldn’t set to bbb.google.com or zzz.aaa.google.com.
We can use it.
If a web-application of a server has session fixation vulnerability, we can spoof subdomain of this server and set cookie to it.*A strange moment. During test I was trying to set cookie to “localhost” from subdomain of localhost, but I couldn’t do it. 

3) Cross domain policies bypass.
It is a frequent situation, when * is used for domain in crossdomain.xml.
For example, adobe.com:
<allow-access-from domain="*.adobe.com">
We can spoof subdomain (aaa.adobe.com) and get full session riding via Flash.

4) Phishing
Classic phishing attacks…

Catch a user

In all these attack vectors, we have a little problem. How to enforce user to come to our (fake) subdomain? For resolving the problem, we can use a NBNS-spoofing attack :)
Example of cookie stealing for example.com:
1) Run NBNS-spoofing against all domains
2) Run our web-server with a little script, which should:
- Collect incoming cookies (sorted by Host http-request field)
- Reply a simple html page with hidden iframe with “src=aaa.example.com”
3) When user inserts into browser any inexistent domain name, our NBNS-spoofing attack will work and his browser will come to our web-server. Then the browser will try to open aaa.example.com, NBNS-spoofing attack will work again and we’ll get cookies from example.com.

Outro

NBNS-spoofing attack is an interesting stuff and it’s not looking too hard to realize such attacks in real life.