The office in question was a small two-PC affair that was part of a much larger network. Round two saw me arrive early, only to discover that the required install media for Office was not present. This was apparently too late the individuals with the keys to let me into the building had left. I ran into a multi-vehicle accident and showed up onsite three minutes late. The location in question is on the other end of the city from my home better than an hour away. The project started out with a misadventure. It could stretch to four hours in the absolute worst case. Depending on the speed and number of the PCs, that’s maybe a couple hours’ worth of work. Remove Office Pro and install Office Standard to ensure proper license compliance. It was simple enough go to the site, rename and readdress up to five PCs to meet the newest conventions. One recent job has left me feeling somewhat ambiguous. Some contracting jobs are terrible 14 consecutive hours of testing cables and ghosting workstations will leave me a gibbering mental wasteland. I love the sexy ones that task me with rolling my own data center or spending a week’s worth of off hours poking holes in someone else’s network. Hopefully you will find something of value in this post, despite the limited use case.Some contracting jobs are fun. Voila, it’s disabled! Now you can go about your business! Then go to the command line and run “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe -stop”. Unselect the box that says “Protect Symantec security software from being tampered with or shut down”. Go to change settings > tamper protection. Once you can RDP into the system, do so and bring up SEP. netsh firewall set service remotedesktop enable.netsh firewall set service remoteadmin enable.You may need to allow it through the firewall so run the following commands against the system: Which should produce the following result. Set COMMAND ‘reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0’ Set the SMBPass, SMBUser, and SMBDomain to whatever is correct for your system. Then open up metasploit and use the auxiliary/admin/smb/psexec_command exploit. To test it out set your remote desktop settings to not allow connections. To do so, it needs to have the registry key LocalAccountTokenFilterPolicy set to 1. This requires RDP to be open, although you could enable that through psexec_command. This encodes each of the stages and in this instance bypasses the SEP HIDS. I generated the payload as usual but I changed the handler to EnableStateEncoding. This could be a pain, given we are using syringe to inject them so the second method is the one I used. Instead of breaking up our payload into multiple stages and reducing the size, we can use one of the new stageless payloads which has the entirety of meterpreter contained in them. There are two options for getting around this. This HIDS was picking off the meterpreter stages, causing the the stage to fail. That is all well and good for AV, but Symantec also has a HIDS. By generating shellcode using msfvenom (or msfpayload if you’re behind the times), we can inject the first stage of a payload in memory and avoid AV. When psexec failed, my next idea was to use this beautiful dll / shellcode injector written by our very own steiner. There are probably other ways to skin this cat, but I learned something doing it this way so we will go with it! How to Bypass the SEP HIDS I was using them to gain access to other systems using psexec, but was thwarted by SEP in most cases (with a file not found error). So at this point I am most of the way there already, seeing as I had valid administrator credentials. A little bit of backstory: I was able to acquire a shared local administrator’s credentials during a pen test. I realize that this post is an edge case, but I recently used this method to bypass SEP (Symantec Endpoint Protection) during a pen test, so for my reference and that one person who runs into a similar scenario I am writing this.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |