Adaptive Penetration Testing 4: Windows UAC Bypass

Dave Kennedy and Kevin Mitnick discuss a method to circumvent User Account Control on Windows by means of a Java applet and the Social-Engineer Toolkit.

Dave: What I’m going to show you here is a demonstration of that actual bypass using the Social-Engineer Toolkit and the Java applet. What I’m going to show you is the new version, version 2.1, which has been in development now for probably the past three months. I’ll talk a little bit about the new features later on, but there’s some wicked stuff coming out. I’m also going to be talking about something that I did which is currently being reviewed by the EFF, because I don’t want to get sued. So, once that’s actually okay and clear and I got the backing, I’ll talk to you about what that is.

Bypassing User Account Control using SET

So we have SET here (watch video above), and in the new version of SET I’ve incorporated Fast-Track, which is a tool that I came up with a few years ago that was meant for the automating of penetration testing. I have recoded Fast-Track from scratch. Fast-Track was my first Python program. Since I’ve actually matured at my age in programming, I wrote things that are actually multi-threaded and used the functions, reused code and stuff like that, which was relatively unique for me. So, that’s now incorporated in the new version of SET.

We select the Social-Engineering Attacks menu and we are going to go to the Website Attack Vectors. Then we are going to select the Java Applet Attack Method. And for me personally, the Java applet attack vector is by far the number one most popular attack that I leverage during an attack. The reason is I no longer really have to attack a browser bug or an Adobe bug or a Flash bug – when I’m going and exploiting those, you have maybe a small percentage of that actually being successful, unless you did a ton of reconnaissance ahead of time. The Java applet attack leverages trust. It’s not an exploit, it’s not a bug – it’s something that leverages trust of how Java is actually designed.

And so we are going to go ahead and clone a website, and we’ll do gmail.com. It could be any website you want to. What SET is going to do is it’s going to go pull that website down, rewrite the web page, set up a fake web server, do a Java applet and so on and so forth. In one of the earlier versions that I released – I think it was 1.7 – I incorporated what’s now called the SET Interactive Shell, which is a completely custom interactive shell that’s similar to what you would expect from Metasploit or Meterpreter but specifically customized and designed for SET. It does randomized cipher key exchange of AES-256, so you have AES-256 communications going back and forth each time. It randomly compiles and obfuscates each one in order to get around signature-based detection, and it has a bunch of tools built into it. And so we are going to select that, we are going to listen to Port 443, and it’s going to do everything for us. So now we have everything listening here.

The Java applet attack leverages trust.

I have UAC on here, you can see it’s set to its default value. This is a relatively recently patched Windows machine, the patch comes out every two days. So we go to IP address, and it’s going to load the Java website for us. It looks just like Gmail. Funny enough, if someone’s like “No, I don’t want to click on this” and they hit Cancel, then they go to type it in and can’t type it in, hit Cancel again, and it goes back until they hit Run. Then it actually executes it. It’s what we call the Java repeater: if you hit Cancel each time, it keeps re-popping up, so they can’t type in their email and they can’t even close the browser unless they kill it through Task Manager, so it’s really annoying as hell. So they are just going to click Run regardless, because they want to get the thing off of the screen.

As soon as they hit run, it redirects the victim back to the legitimate website and everything looks like it’s normal. Now, one thing that’s kind of cool – and this is what I’m working with the EFF about – is as follows: what happened a long a time ago when I released SET is you could do what’s called self-signing of the Java applet, so you could sign it as Microsoft or Google or whatever you wanted to. So the Java applet would pop up as “This is published by Microsoft”. They have since changed it to show just a big “Unknown” as the publisher if it’s self-signed. So you, basically, have a publisher with a self-signed certificate of big “Unknown”. Now, we saw from statistics it literally impacted SET zero – we still have a 99% success rate when sending this. But at the same time, it wasn’t good enough for me.

And so, what I did was I looked at how you actually get a valid certificate from the different variety of code signers, so I registered a company in the State of Ohio and then I bought a code signing certificate. And the name of that is “Verified Publisher”.

Kevin: My Company is called “Oracle Java Applet”.

Dave: You know, Kevin was worried about calling it “GoDaddy”.

Kevin: Yeah. I remember I was going to participate in the Social Engineering CTF at Defcon two years ago and they wanted me to target Microsoft. So I registered microsoft-test.com, microsoft-this.com, and then I got a call from GoDaddy: “Mr. Mitnick, we just found out you registered these Microsoft domains. Is there anything we can do to help you?” I said “No, no, no, everything is fine, thank you!” But they actually took it upon themselves to call and check, you know, because maybe I’m on their list: what’s he gonna register today?

Dave: And so, the proof of this, the reason why we wanted to do this, the way we do these type of attacks – it cost me $30 to register an LLC in the State of Ohio. It cost an additional $200 for a code signing certificate. Do you think an attacker is going to do that if they really want to target an infrastructure of a company? I mean, the process that you have to do it takes literally about five days. And it’s not hard work, you just submit the paperwork, which kind of sucks. You submit it and it comes back after the governor gets the chance to sign it, and then you go to a website, you fill out some automated; you have to put a fake website, so I got a fake website out there.

Kevin: So, even if you are spending a grand, it’s worth it if you are doing a real attack.

Dave: Yeah, it’s obviously beneficial if you want to actually go and target a company, so it makes it absolutely more believable. And that’s the whole point of a pretext or an attack against an organization – you want to make them feel confident in what they are doing. And so the Java repeater that just annoys the hell out of people and the actually trusted applet – people are definitely going to click on it.

Completion of the UAC bypass attack

So we went ahead and we clicked on Run, and over here on our attacker machine we have a new shell (watch video above). The SET Interactive Shell is multi-threaded, so you can get 50 shells coming at the same time, it holds as many as you want to. And here we are going to interact with it by hitting “1”. Now we are in the SET Interactive Console, which basically gives you access to whatever you need. So you are going to enter “?” (question mark), it tells you all the different types of things you can do, so I can drop a new shell and type in “net user bob ihugalot /ADD”. If you noticed, I get “Access is denied” message. And why is that? Because UAC stopped us, User Access Control prevented us from actually being able to add a local user account onto this.

And so, what we incorporated in the SET was “bypassuac”, where you just type “bypassuac {IP address}. So it’s going to do its thing. This took me so long to code.

Kevin: What’s scary is there’s only, I think, three whitelisted executables that are outside the system32, so Microsoft could easily fix it.

Dave: Yep. So if you see here, we get “Connection received from {victim machine’s IP address}”, we drop back out to this, and now we see an option 2 – we see Windows calling UAC-SAFE. Now we can drop into that, and we completely successfully bypassed Windows UAC.

Kevin: What’s interesting with your tool is, in a speaking engagement I’ll demonstrate Java applet, I’ll leave it run and then I get busy and I’ll fly home, and then I’ll go there and I realize, like, six or seven people (not at the conference) connected to the site and actually executed the Java applet, just random people on the Internet. It’s amazing! I should let it run for, like, a year and see what happens. I don’t want the feds knocking on my door, so never mind.

Dave: The tool here has a lot of things like list running processes, execute things; you can do SSH reverse tunneling so you can tunnel a port based on the internal port, reverse it back so you can connect to it locally. It can also be used to kill processes, reboot. It’s got localadmin, domainadmin, grabsystem so you can get privileges on the system, keystroke logging, keystroke dumping.

The pentest takeaways

The pentest takeaways

It also does lockworkstation, so you can lock the workstation while you’re logging the keystrokes and intercept their user credentials, which is one of my favorite ones. But the whole point isn’t to go through the SET Interactive Shell but just to show you how to bypass UAC. So, lessons learned from this – what have you learned from this attack?

Kevin: If you put your mind to it and actually prepare and you are meticulous about it, you are usually going to get in.

Read previous: Adaptive Penetration Testing 3: Prep for a Software Vendor Compromise

Read next: Adaptive Penetration Testing 5: Physical Part of the Compromise

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: