Associated Vulnerability
Title:Microsoft Windows Kerberos 安全功能绕过漏洞 (CVE-2015-6095)Description:Microsoft Windows是美国微软(Microsoft)公司发布的一系列操作系统。Kerberos是美国麻省理工学院(MIT)开发的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。 Microsoft Windows Kerberos中存在安全功能绕过漏洞,该漏洞源于程序未能成功检查用户登录工作站的密码更改。本地攻击者可利用该漏洞绕过目标计算机上的Kerberos身份验证,并解密由BitLocker保护的驱
Description
Automated Exploit Toolkit for CVE-2015-6095 and CVE-2016-0049
Readme
Note; this repository makes references to external repositories (known as Git submodules). After cloning this repository, please make sure to run the following commands to clone those submodules:
git submodule init
git submodule update
BlueBox
=======
BlueBox is a collection of scripts and configurations for the automated exploitation of [MS15-122](https://technet.microsoft.com/en-us/library/security/ms15-122.aspx) and [MS16-014](https://technet.microsoft.com/en-us/library/security/ms16-014.aspx), (see also [CVE-2015-6095](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6095) and [CVE-2016-0049](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0049)).
Additional information about this vulnerability can be found in the [BlackHat EU 2015 presentation and whitepaper](https://www.blackhat.com/eu-15/briefings.html#ian-haken) made on this topic, or the [updated talk](http://www.slideshare.net/ianhaken/attacking-windows-authentication-and-bitlocker-full-disk-encryption) presented at BSides Seattle 2015.
This exploit allows an attacker to bypass the login screen of Windows machines using domain authentication. This can be used to read a user's data, bypassing full disk encryption protections, to quickly attack unattended machines in order to plant a remote access toolkit or other malware, and can be used to do either of the above without taking the machine offline.
For a quick demostration, I've recorded the following videos:
BlueBox: Opportunistic Laptop Attack
<a href="http://www.youtube.com/watch?feature=player_embedded&v=LT0Z9asOedM" target="_blank"><img src="http://img.youtube.com/vi/LT0Z9asOedM/0.jpg" alt="BlueBox: Opportunistic Laptop Attack" width="240" height="180" border="10" /></a>
BlueBox: Zero-Downtime Attack
<a href="http://www.youtube.com/watch?feature=player_embedded&v=cz6PgGEw4_Y" target="_blank"><img src="http://img.youtube.com/vi/cz6PgGEw4_Y/0.jpg" alt="IMAGE ALT TEXT HERE" width="240" height="180" border="10" /></a>
This repository includes some init-scripts and configuration files for deployment of these scripts on a Debian-based system (the aforementioned demo runs on [Raspbian](https://www.raspbian.org/), a Debian distribution for the Raspberry Pi). However, there is no particular need to run these tools on that platform; you could just as easily configure a regular laptop and arbitrary operating system to run these Python scripts and a DHCP server.
The scripts in the [init-scripts](init-scripts) subdirectory can be used to start the malicious servers on boot; this is particularly useful when utilizing a headless dedicated device (like the Raspberry Pi). You can place those scripts in `/etc/init.d` and run
update-rc.d evil-server-{dns,kdc,ldap,netbios} defaults
This repository has configurations for two styles of deployment; as a simple lockscreen bypass tool, or as a zero-downtime attack tool. Further description and configuration instructions are below.
BlueBox Lockscreen Bypass
-------------------------
The intended use of this configuration would be to opportunistically gain access to a client workstation, such as an unattended laptop. The deployment requires an independent DHCP server; an example configuration file for the [ISC DHCP Server](https://www.isc.org/downloads/dhcp/) is [available](configs/bluebox/dhcpd.conf). Several of the malicious servers are hardcoded to refer to the current machine as at IP address 192.168.0.1, so a sample [network configuration](configs/bluebox/interfaces) is included which gives eth0 this static IP.
Although not necessary, you may also choose to install an FTP/HTTP server on the host machine in order to serve a malicious payload that can be executed by the attacker on the victim machine.
Zero-Downtime Attack Tool
-------------------------
This configuration requires two physical ethernet devices and allows the attack device to function in a man-in-the-middle capacity. This configuration bridges the two ethernet devices to allow traffic to pass through unchanged, making the device transparent on the network. However, its netfilter configuration will redirect Kerberos traffic to the localhost (that is, to the malicious server) which allows an attacker to bypass the login screen of a live server.
In order to deploy this configuration, your ethernet devices should be configured [to be bridged](configs/zerodown/interfaces). The configuration requires use of netfilter on the bridge interface, so you need to add the `br_netfilter` module to `/etc/modules`. In order to configure ebtables and iptables to hijack Kerberos traffic, you should place the [ebtables](configs/zerodown/ebtables) configuration in `/etc/network/if-up.d/` directory, the [iptables](configs/zerodown/iptables) script in the `/etc/network/if-pre-up.d/` directory, and the [iptables.up.rules](configs/zerodown/iptables.up.rules) file in `/etc`.
This configuration also hijacks HTTP traffic destined for 10.254.254.254 and redirects it to a local server, which can be utilized as a convenient way to download a malicious payload to the victim machine. If doing this, the machine should also have some sort of webserver (e.g. apache2) installed.
File Snapshot
[4.0K] /data/pocs/cb71aee2c6e36ad534796f450f941352a040389c
├── [4.0K] configs
│ ├── [4.0K] bluebox
│ │ ├── [ 284] dhcpd.conf
│ │ └── [ 414] interfaces
│ └── [4.0K] zerodown
│ ├── [ 175] ebtables
│ ├── [ 855] interfaces
│ ├── [ 94] iptables
│ └── [ 760] iptables.up.rules
├── [4.0K] evil_dc
│ ├── [4.0K] dns
│ │ ├── [4.0K] dnslib
│ │ └── [3.6K] evil_server.py
│ ├── [4.0K] kdc
│ │ ├── [ 20K] evil_server.py
│ │ └── [4.0K] pykek
│ ├── [4.0K] ldap
│ │ ├── [1.6K] do_send.py
│ │ ├── [6.0K] evil_server.py
│ │ ├── [4.0K] ldaptor
│ │ └── [2.6K] test.py
│ └── [4.0K] netbios
│ ├── [ 665] do_netlogon_send.py
│ ├── [ 373] do_send.py
│ ├── [6.6K] evil_netlogon.py
│ ├── [1.0K] evil_server.py
│ └── [4.0K] Responder
├── [4.0K] fake_rat
│ ├── [ 77] Makefile
│ └── [ 311] RAT.c
├── [4.0K] init-scripts
│ ├── [ 814] evil-server-dns
│ ├── [ 814] evil-server-kdc
│ ├── [ 818] evil-server-ldap
│ └── [ 830] evil-server-netbios
└── [5.1K] README.md
14 directories, 22 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.