 Today we'll be talking about terminal services Welcome everyone. I Hope you had a good evening yesterday. I did very maybe sit down a little bit later and Yeah, I will talk about exploring terminal services and I Will release today some tools that my friend party Carlson has written and some tools that I have written and And then I Think I just keep keep the talk to the fun stuff, you know, so I have some Some nice demonstration Then boring slides You will find the tools on the CD That you got but I think Patrick on his site secure.net is going to Really have a web page there for you. So what should I talk about today? Well, I Don't know if anyone heard my speech two years ago about C-tricks and terminal services Fun perfect. I would like continue from there So I will I will last time okay I'm going to talk say like this instead like C-tricks in terminal services Is is someone here who doesn't know how it works? We'll remove desktop things. Okay, and what I spoke about it was like breaking out from giving given environment and Then and I did also talk lots about about C-tricks and their published published applications But what happens if you have a shell on the C-tricks of terminal server? What should you do? What should the hacker do? What will he do more or less? So you're talking about very very briefly about exploring And then I will talk to you about more about uploading files, and I will talk even more about gaining system and The most fun part controlling the local Hard drives of the clients connecting to to the C-tricks or terminal servers that will be fun, I guess So exploring. Yeah, this is normal stuff, you know people Connecting to it to a terminal services C-tricks. They the first thing they do is doing a net stat If they are bad intended It's because they want to see what Servers can I reach and what's clients clients are connecting right now? You can do our to see in a little bit more IP addresses and Net user view and such session remember that you are sitting whom on your local client and You are connecting. I have a desktop on a removed Server on the different Network so if you're doing like net view, you will see the computers that surrounds the this terminal server or C-tricks server and that's Interesting I will I will I will also Talk you will not talk about it. It's normal stuff But you have to remember you can also do lots of these stuff to access To different accounts on your own machine You're you're you're in this session. They can start a C-tricks session in the session To to gain to password guess to other other accounts Maybe you're not allowed to log in from the internet from from from a C-tricks session or or you can't reach VNC from from internet, but on the terminal server and if you find the client You can start passing guessing on this on the same machine that you are and VBS. Yeah, oh God my friend Patrick. He's so amazing, you know, he wrote the Excel port scanner It is it's on the CD. It's it actually works so So if you have that like like you want to port scan a network and you write I have just Can you just run Excel there? and He also Experimenting with the user switching in other like the like the false user switching Yeah, I have actually got that working in Excel like you just write with session you want to Send your session to You will like exchange sessions But the problem is that you have to be administrator and you will send your administrator administrator into facing some other guy, but well Like there could be some some interesting things to do there, but we will not release it here Will we will look into it more deeply first? So the VBS thing it's you can use like Windows API calls Understand, so you have like unlimited access through Excel or Word or something If you're allowed to to run this DLL VBS sometimes The terminal server and Citrix servers are are really locked up You know, you can't run anything can't access CMD command.com FTP And you want some you want a good shelf to like start your programs from Like a run dot dot dot box People forget about Progman, you know, Progman the old Windows 3.1 desktop Yeah, yeah, and it's it's perfectly if you have this run thing there and So you can have this history of commands so you can do lots of commands and This computer management management thing people are forgetting about that too if you if you're going to lock down a computer a terminal server Citrix well You have to lock down so much, you know, it's very hard to use it with the computer But I think it's the only way I Will also say I really like terminal servers and Citrix is I think it that idea is very good But you have to think twice how you implement it and why you're using it That's just one thing and the run DLL. Have you have seen all the things you can do with a run DLL? Well, I tried to disable that If you you can do like starting in the network place wizard or Maybe tell net why not? So you can do a lot of things through run DLL too There there is a very very very big list of Things that you're shouldn't be allowed to on the terminal Citrix server through this run DLL. I'll not talk about it So uploading files Sooner or later the client or the hacker wants to upload his stuff. He wants to run his local exploits to gain system and He want to upload his exploits this is usually and easily done by Then the normal terminal server in Citrix local client map That I will explain it will be like that then the the local client connects to the server the terminal server and In this session this desktop remote desktop if you open Explorer who will see his local network drives there and it's very easy to just Double-click on it and run your your exploits from there, but very many people don't allow it so they disable it that feature and Maybe yeah, they disable it the other way Is of course if you if this terminal server Citrix server has internet connection, of course, it's very easy to use just download download the stuff But what happens if you are? Or it's a very locked up computer that the local client drying mappings is disabled and And and you have no internet connection from this session. There is a program I've found it somewhere and it you can find it also. It's called net send dot exe It it converts a binary file to a to a text file a readable text file and And it's so amazing. I like it a lot. It's it's So you can you can read the the file so What you do is it's your transform your binary that you will upload to text file and open it in notepad copy everything and then you open notepad on on on the terminal server in in the terminal server session and you do paste and You've got your program there and if it's larger than the 64k it you you encodes it and How should you decode it? Well, of course the guy who wrote net send also wrote the program called mode com and It's a huge encoder also readable So you just copy paste save and then it's just ready to execute. You don't have to do anything It's amazing But it all fails If copy and paste is also disabled, of course, you're you are able To type right you can type your username and password and stuff. Of course the last Thing you can do it's upload the file with a keyboard It takes a time, but I've written a tool that does it for you So it should be a little bit faster than doing by itself. I doing a demonstration later it's quite fun and This script can also Transform files to a debug script and I don't know if you you Is know the tool but ease. It's a it's a pearl script so that And that's it you Unicode Unicode bug in IIS No one Well, there is then a feature in that Unicode tool to upload Upload files as in the bug script I've written that script and I just modified it so I have no size limit and That's pretty hard in in in debug.exe. That's just kind of can handle 16 bits per program so and Gaining system so we have now uploaded our stuff on the on the terminal server So now I have to gain system to run these programs then normal thing of course is Is is replace system binaries the easiest way File write stuff, you know, it's just change the backup program to your your your Stuff and like new new fully qualified path. There's a problem in Windows like Unix have sold it in several years But but in Windows still is there like util man, you know the util man exploits right there Let's start experimenting with it. Just copying you util man to a local directory and and Then you put your your DLLs in that directory and starts util man, and it will try to read your DLLs instead and the thing I Will have also I've written a small program that the Skeleton program more or less I will make a demonstration that does this It's almost like shattered do anyone would went to the shutter speech the window shutter. Yeah, it was so cool I loved it. Oh God, and it's and they talked about that This is going to be a problem with all the all the terminal service and Citrix service so But that I've written is just a basic skeleton 1a stuff, but I will show you how it works and One of my friend told me why don't you just? installs a true-gen driver printer driver When I said, well, what are you talking about? Well, what you do They have actual code and working exploits for this. I will not release anything What you do is that you have your client Have that you you shares a printer a true-gen printer and when the When you're in the terminal session, you're allowed to add printers And you search for a printer and you just Pointed back to your true-gen printer and when it tries to install a true-gen printer It runs a command prompt And the installation will fail so you got a command prompt as with local system rights It's pretty neat and the most fun part of it. It's just like it failed and you want to retry So it if you close this that come that the window the command prompt you can just retry and it will get a new one perfect and Here's the weird part. I will not talk about the normal stuff Of course when I when I when a user Logs in to Terminus Citrix session There's runs login scripts and stuff and you can do stuff to to the the guy's hard drive there But I will talk about a Vulnerability in Citrix that has been patched right now Patrick found it and I've written a tool for it it it then steals or Gain you get access to to Citrix look locals hard drives of Citrix users and Yeah, I will Maybe talk about here what it does is like It If you're running win objects from sis internals, you will see that all Citrix sessions has these DOS devices For in this example In session one His local hard drive C is mapped in this Citrix session to X. Okay, and the other user Has the almost the same but he has seen since session two with one line of API and admin rights you can map the other guys Hard drive You just point. I will not have my session I want this guy's sessions and you get his His hard drive mapped to X instead You just change the one to two and you get his hard drive or three to the third person And he written a very easy nice tool for it to go. You so you can just click it and and and It's easy and easy to enumerate and so it's Yeah, you will see it work. I will make a demonstration of it. There is a patch available for this So my my friend Patrick thing, okay, they patched it but If I'm administrator on the terminal Citrix server, I have access to all of the processes, right and Becoming local system as administrators. This is far too easy just Install the program as a driver and run it run it as a driver and your local system So as a local system you have you can connect to all these processes what he does is he Locates a process of a user copy the credentials and Starts a reverse shell and With these credentials This means you get a shell with a credential of that that other user the Citrix or terminal server user And that means you can access His local hard drives. I will show you in the in the demonstration also It's a little bit hard to follow that demonstration because it's so many different things happening. They're like to to Citrix sessions and there are and there are this Reversal also sets its and local hard drives and stuff that's but I will try to speak very slow so if you have a connection to to If you are in the Citrix session, you can always map your local hard drives like this Or in terminal server you can always map your local hard drives like That the interesting thing is in terminal server you can also map the guys local Network drives you understand that he's on his client Lawn You can actually access so he's if he has administrator on his his his network connects to his TT terminal server that a Bad guy owns he can access all the the maps that he has access or has been his What he had mapped so Nice, so we'll now give you a demonstration. I'll break up from giving a my environment. Yeah Yeah, I Think your question was like you should have a good policies and and and I have a new execute Yeah Yeah, of course you you You should try to I will talk about protection later and and then what it says like you have to like Specify what a white list what you have what you have able to run the problem is running a white list. It's very hard It's it's some other guy. It's very hard to implement it. Have you done it? Did you succeed in I don't trust I don't believe it All the DLLs and stuff, you know the MSE and everything Five executables. Yeah, maybe maybe can be done No, it maybe can be done. I think it's very hard. I've never seen those one of those systems They're trying they will try because I will talk about them in honor of the protection stuff and Then I Will upload files gain system. I will run Citrix math T as inject and I will access Local hard drives. I will not using this over the network stuff. It will be too complicated so Now we'll we'll look at this right side. We have this is now the attacker This will later be the victim, but right now it is the attacker and Where I left off last time Is was it was breaking out from the given environment? So I will start there so I have this adobe thing and It's a published application. So yes starts it and it takes a while and it's anonymous Get access. I don't actually know what you should what are you what are you using the system for with just five executables? You probably should use the VPN to So so this is there's no desktop area. No, it's an adobe reader So what you do is of course to break out from given a my environment the easiest way is just choose open and then right-click on something and Choose explore Have you seen this before? Yeah, there was other speech about the running Explorer from from from a vulnerability The VNC stuff there are here's the desktop. It was just hidden. So So now I'm I'm anonymous I'm anonymous here. I will change the phone for you. I think this one will be alright You can see this so I'm the attacker It's this computer, but what you see here is a secret session so this is So this is the the terminal service a Citrix server is into right now and I will now Try to upload files are lots of different ways to do it, of course But I will just show them the copy with a keyboard program So you change to a directory That you are able to write in maybe quarantine director or something from an antivirus program or something and in this in this Window I start Something that could read my key strokes. So I copy Come to the bar or something. Okay? So this is this is the Key stroke listener right now. So we change This red thing here It's a tacker window now So on the local I'm The background is a Citrix session and the foreground is on the my computer here and I have it and I have So this program will take a file as input and It will Just type it for me, but you have to it's very hard to type binaries So you have to like convert it or something transform it. I have chosen a program here called Reg Edit 32.ex1 It's because the bug that will transform the script can't handle exe so It is the normal register Thing stuff here going on, but but I just renamed it and then I run Copy the keyboard choosing the file and I choose a delay of one and It's not Windows window. It's a dots window and I should transform it to a to a script the bug script What this program does now? It's an emirate all the windows with names And I'll have to now to choose which window I will start typing in and I choose window 52 for example 52 It brings up it up to the front and start typing for me It takes It's not that fast now, but it's no flu control You can try very small values, but It may be messed up and if you're sitting with a large program waiting for an hour, you don't want like one Something to be missed here. What it actually does is it's an Assembly it's just the problem with them with the debug dot exe. It can just can handle 64k programs So what I'm doing in is it's running a Thing that that moves the data segment pointer one and writes the next 16 bytes room over then jumps around So it's you can play with it at home. I will This will take about two or three minutes In the meantime, I will show you another script. I've written that Well, it's the easy the easiest most easiest easiest way to get Local system on the local server and I will do that on on on this side left side So I'm now running this this can move on for a bit and I will Here it is And the windows keys, you know, like you have to like doing stuff like this so I'm Logging as a loser and here at the at the server it's a windows 2003 server and then I Will I want to gain system rights here and I've written a small skeleton That just enumerates all the windows Even the hidden one and sends F1 to them. It's like the util man exploit for Yes, so much exploits right now, so So what it does it just Sends F1 you can change it to alt space or something if you like it's just a skeleton program So you can change it to alt space and have this Util man exploit for that instead and then just press enter and you just continue to something happens like a help or something from a Program that runs as a system starts. I will not do this. It takes too much time. It's too many windows But I have also a program that sends F1 directly to a window instead. Oh Peace anywhere. I know that one is vulnerable, but I will not use that actually I will Find another known vulnerability. Yeah, here's Broadcom Cystray windows application. I can't see it in the Cystray either, but yeah, the service is running I'm I'm at a demo So I will send F1 to this Window 55 Enter 55 Windows help you can't find the help point you want to find it yourself. Yeah, I know I remember It's called something like CM something There it is open whole and I Perfect Yeah, that's fun. Oh, I reinstall it now. Maybe I use and do it later So well, the file is now finished uploading here to the right and then I will control that it and Right Food of bar and it's and as you can see it's Eating something I think So This is a normal debug script file. It's named the file It has some assembly in it that just moves the data segment and stores it and Then it just starts uploading this data. It probably could you don't have to have like zero zero Yes, it needs one zero, but For demonstration purposes so How to get the The file again I have I Was uploading reg add One dot ex one so I run the bug Other direction and Foo dot bar and the bug runs this the bug script for me and I will now have the file here. I guess. Yeah, there it is, right and I now have now uploaded a binder with a keyboard Now to the fun stuff This is C-tricks Session still going on here. This is now the victim. This is now the victim nothing will happen over here at the The right side everything will happen over on this monitor But I will keep this running just to show you that this is the client and and try to understand that That the attackers here now and I will do a few steps ahead and I will Log in the disc this client is has logged now logged in with a C-tricks session To the C-tricks server and I will now the attacker now will also log in to the C-tricks server as administrator Usually you can't do this of course, but I will just for the demo for purposes Just show you that if you are an administrator on The terminal server you can do that stuff so We'll change this directly to hack tall C-tricks snap so this is a tall Patrick Patrick wrote. It's then shows Then the disc that's already mapped. I will remove them Just to be clear what's happening here So and I don't have any map locally mapped drives right now so I Click here and it Enumerates all the C-tricks client connected to the C-tricks server and I will choose victim and now it's enumerates all the hard drives this victim has and I choose one one here see and I map it Yeah, was the one one one API call so it's definitely not that hard and Then you can close this one and I can go to be Drive Understand this is the attacker running from this computer to a C-tricks server the same C-tricks server that's this loser is it's on and And I have like all the access I needed on this hard drive Exactly same hard drive as the victim So it's it's then it's very easily done. So If you're running and like an ASP or something You should be like be worried or or if you are like like using an ASP Maybe you should be worried to Yeah So that was fun So I don't have to exit that one So the last demonstration is More advanced stuff. I will log off here. I will Start a net cat listener. This is on this this this is still an attacker I'm starting a net cat listener. I want a wing we're waiting for a remote shell and then I start Terminal server or something please connect me and of course I'm cheating. I will log in as administrator directly and So this is a terminal server Session on the C-tricks server C-tricks and terminal servers is the same server that this session is on The best way to learn this stuff is play by playing With them with yourself, you know, like you have to run it to understand it if this goes too fast and everything So this program tears in yanked it it doesn't need to have be like terminal services, but Wait a second what you What you need is an process ID Because you will copy the the credentials from that that process ID So we will find them find a process ID here This is a very small font now. I know that I Sort it on sessions ID. It's just task manager. There's nothing fancy about it and Here is an on he's from session two I can start something here that you can see And come on prompt example. Oh, it was that example, but I'll take him So here's the the program come on prompt running on that. I Would Well, of course, I do reader. That was I started from beginning. So here's acrobat reader. It doesn't matter. Yes, sir show show you and this has process ID 3000 for okay, I have to remember that remember that So I'm running this TS in yanked and I want to copy three thousand four credentials. I will send it to To my client then the netcast listener on my client you can send it to to To the terminal server or whatever you want, you know Yes, Patrick just wanted to remove to back to our innocent And the port 666 so it will start start reversal with With the sessions with the credentials of the process and send it to this computer. Oh Please please please please Yeah, here it is Yeah And now I can use net use It's a secret session, so I will use client the star of course so Zed And yeah, yeah understand so it's a hard hard. Yeah It's hard to understand what's happening here because it's it's it's two sessions going on and then there's the Remove shell involved to the client, but just try it once and you will understand what's going on here It's so easy well Now we'll now talk about Talk about protection so If you disable 16-bit application support Perfect. It disables net send programs. It disables the bug dot exe It disables lots of Weird stuff that shouldn't be going on. You have to do Traffic filtering of course restrict access to executables and General read write execute writes and that means like where people are allowed to to Save stuff that shouldn't have execute Rights that is very very important and where they have execute rights. It shouldn't have be able to read Right, I mean and active directory stuff. You can do a lot with it Use it use it. You can make this signature on on like all the binaries that should be allowed to run it's perfect and this Secure exit program now called sanctuary They have a live demo on the internet you can try Like it a lot and then my friend My friends have this site se 46 that do stuff. I don't know but I was told to to have it in a presentation and It do something about Closing the environment and There's this fully qualified path problem. I don't know how to solve it You have to like write good binaries or something proofs as isolation Validate access to critical up a API and there is a tool from a guy called Jürgen He's the one and guys who runs tool crypt And he showed me this program API guard and it's so Cool and You have to check it out. It's a user land thing that Lots of lots of stuff can't be done when you're using this program on your system because you're not allowed to to call a call Something or jump to something that is not from the process I will not talk about this if you have any questions Just look at the tool and read about it API guard, but he has now working on a other more even more cool cooler stuff It's called Colonel Colonel guard and It will be released in this autumn in Finland and If you're interesting in protection, you should really have a good look at this program It will be open. I don't think it will open source, but it will be free at this the end is it It's oh god. It's so much. You know, it's it's just I know You find everything a time you look and I Write here still no buffer overflows well We may be see some patches in the future I have thanked my mom and my researcher Patrick calls them from secure is fabulous guy and The Keeper of the keepers it's a year again from tool crypt and Jonas Lindin who makes the demonstration possible and my friend a good man or him as the base defender and That's the speech. I hope you enjoyed it. Have a good time and see you