Sticky Keys to the Kingdom
Download as PPTX, PDF3 likes9,248 views
The document discusses how replacing certain Windows accessibility tool binaries, like sethc.exe, with cmd.exe allows gaining command prompt access on Windows systems. The authors developed a tool called Sticky Key Slayer that scans networks for systems vulnerable to this issue by automating the process of connecting via RDP, triggering the accessibility tools, and checking for command prompts. When tested on a large network, over 500 vulnerable systems were found. The document recommends remediation steps and warns that this technique is a sign of potential compromise.
![Windows Accessibility Tools
Binary Description How to access
C:WindowsSystem32sethc.exe Accessibility shortcut keys Shift 5 times
C:WindowsSystem32Utilman.exe Utility Manager Windows Key + U
C:WindowsSystem32osk.exe On-Screen Keyboard
Locate the option on the screen using the
mouse
C:WindowsSystem32Magnify.exe Magnifier Windows Key + [Equal Sign]
C:WindowsSystem32Narrator.exe Narrator Windows Key + Enter
C:WindowsSystem32DisplaySwitch.exe Display Switcher Windows Key + P
C:WindowsSystem32AtBroker.exe
Manages switching of apps between
desktops
Have osk.exe, Magnify.exe,
or Narrator.exe open then lock the
computer. AtBroker.exe will be executed
upon locking and unlocking](https://image.slidesharecdn.com/stickykeystothekingdom-slideshare-160806224102/85/Sticky-Keys-to-the-Kingdom-5-320.jpg)
Sticky Keys to the Kingdom
- 1. Sticky Keys to the Kingdom PRE-AUTH SYSTEM RCE ON WINDOWS IS MORE COMMON THAN YOU THINK DENNIS MALDONADO & TIM MCGUFFIN LARES
- 2. About Us • Dennis Maldonado • Adversarial Engineer – LARES Consulting • Founder • Houston Locksport • Houston Area Hackers Anonymous (HAHA) • Tim McGuffin • RedTeam Manager – LARES Consulting • 10-year DEFCON Goon • DEFCON CTF Participant • Former CCDCTeam Coach www.lares.com
- 3. History • “How to ResetWindows Passwords” websites • Replace sethc.exe or utilman.exe with cmd.exe • Reboot, Press Shift 5x orWIN+U • net user (username) (password) • Login! • Nobody ever cleans up after themselves • Can be used as a backdoor/persistence method • NoWindows Event Logs are generated when backdoor is executed
- 4. Implementation • Binary Replacement • Replace any of the accessibility tool binaries • Requires elevated rights • Registry (Debugger Method) • HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe • Debugger REG_SZ C:WindowsSystem32cmd.exe • Requires elevated rights
- 5. Windows Accessibility Tools Binary Description How to access C:WindowsSystem32sethc.exe Accessibility shortcut keys Shift 5 times C:WindowsSystem32Utilman.exe Utility Manager Windows Key + U C:WindowsSystem32osk.exe On-Screen Keyboard Locate the option on the screen using the mouse C:WindowsSystem32Magnify.exe Magnifier Windows Key + [Equal Sign] C:WindowsSystem32Narrator.exe Narrator Windows Key + Enter C:WindowsSystem32DisplaySwitch.exe Display Switcher Windows Key + P C:WindowsSystem32AtBroker.exe Manages switching of apps between desktops Have osk.exe, Magnify.exe, or Narrator.exe open then lock the computer. AtBroker.exe will be executed upon locking and unlocking
- 6. Limitations • Elevated access or offline system required • Replacing binary must be Digitally Signed • Replacing binary must exist in System32 • Replacing binary must exist inWindows “Protected File” list • You can’t use any old Binary, but you can cmd.exe /c file.bat
- 7. Background • While working with an Incident ResponseTeam: • Uncovered dozens of vulnerable hosts via file checks • Identification was done from the filesystem side • Missed the debugger method • Missed any unmanaged boxes • Needed a network-based scanner
- 8. Background • We wanted to write out own network-based tool • Started down the JavaRDP/Python Path • Ran across @ztgrace’s PoC script, Sticky Keys Hunter • It worked, and was a great starting point • Similar to “PeepingTom” • Opens a Remote Desktop connection • Sends keyboard presses • Saves screenshot to a file • To do list including automatic command prompt detection and multi-threading
- 9. Our Solution – Sticky Key Slayer • Parallelized scanning of multiple hosts • Automated command prompt detection • Detailed logging • Error handling • Performance improvements • Bash
- 15. Tools Usage • ./stickyKeysSlayer.sh -v -j 8 -t 10 targetlist.txt • -v • Verbose output • -j <num_of_jobs> • Jobs to run (defaults to 1) • -t <time_in_seconds> • Timeout in seconds (defaults to 30 seconds) • targetlist.txt • Hosts list delimited by line
- 16. Limitations • Ties up a LinuxVM while scanning • Needed for window focus and screenshotting • Will not alert on anything that is not cmd.exe • Ran across taskmgr.exe, mmc.exe, other custom applications
- 17. Statistics • On a large Business ISP: • Over 100,000 boxes scanned • About 571 Command Prompts • 1 out of 175 • All types of Institutions • Educational Institutions • Law Offices • Manufacturing Facilities • Gaming companies • Etc…
- 18. Recommendations • Remediation • Delete or replace the affected file (sethc.exe, utilman.exe, …) • sfc.exe /scannnow • Remove the affected registry entry • Treat this as an indicator of compromise • Prevention and Detection • Restrict local administrative access • Enable full disk encryption • Network LevelAuthentication for Remote Desktop Connection • End point monitoring • Netflow analysis
- 19. Tool Release • Code is on Github • https://github.com/linuz/Sticky-Keys-Slayer • Contribute • Report Issues • Send us feedback • Slides • http://www.slideshare.net/DennisMaldonado5/sticky-keys- to-the-kingdom • DemoVideo • https://www.youtube.com/watch?v=Jy4hg4a1FYI www.lares.com