Thursday, March 4, 2021

A quick check of the 0-day exploitation on Exchange Servers.

1.     Microsoft script Test-ProxyLogon.ps1

Microsoft Test-ProxyLogon.ps1 is a comprehensive script to check for signs of exploit from CVE-2021-26855, 26858, 26857, and 27065.

To use this script, your account has to be local admin of the Exchange Server and be the member of AD Group "Microsoft Exchange Security Groups" > "Organization Management".

1)    Download the script from https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1

2)    Run “exchange Management Shell” as administrator.



3)    To check all Exchange servers and save the output, run command: Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

4)    To check the local server only, run the script: .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs



5)    Review the logs.

2.     Microsoft Nmap script http-vuln-cve2021-26855.nse

This file is for use with nmap. It detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855).

1)    Download the script https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse

2)    Copy the file to the nmap script folder. For Windows, the default location is C:\Program Files (x86)\Nmap\scripts. For MAC, the default location is /usr/local/share/nmap/scripts.

3)    Run command nmap -p <port> --script http-vuln-cve2021-26855 <target>.



3.     Microsoft Support Emergency Response Tool (MSERT)

To use the Microsoft Support Emergency Response Tool (MSERT) to scan the Microsoft Exchange Server locations for known indicators from adversaries:

1)    Download MSERT from Microsoft Safety Scanner Download – https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download.

2)    Read and accept the End user license agreement, then click Next.

3)    Read the Microsoft Safety Scanner Privacy Statement, then click Next.

4)    Select full scan.



4.     Nmap script http-vuln-exchange.nse

http-vuln-exchange.nse is a quick and dirty nmap script which can be used to find potentially vulnerable servers in your environments. (https://twitter.com/GossiTheDog/status/1366863377344126976)

1)    Download the http-vuln-exchange.nse script from https://github.com/GossiTheDog/scanning.

2)    Copy the file to the nmap script folder. For Windows, the default location is C:\Program Files (x86)\Nmap\scripts. For MAC, the default location is /usr/local/share/nmap/scripts.

3)    Run command nmap -p <port> --script http-vuln-exchange.nse <target>.



5.     Check if patch KB5000871 is installed on Exchange Server

1)    For Exchange 2010, the patch is KB5000978. Open Control panel > Add or Remove Programs, check if update KB5000978 is on the program list.

2)    For Exchange 2013 CU23, the version should be 15.00.1497.012 (or greater)

3)    For Exchange 2016 CU18, the version should be 15.01.2106.013 (or greater)

4)    For Exchange 2016 CU19, the version should be 15.01.2176.009 (or greater)

5)    For Exchange 2019 CU7, the version should be 15.02.0721.013 (or greater)

6)    For Exchange 2019 CU8, the version should be 15.02.0792.010 (or greater)

7)    Run PowerShell command: Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo}


6.     Check suspicious hashes

 

(Up to March 13, 2021) Web shell hashes:

 

1) Hashes from Microsoft (sha256):  https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

  •  b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  •  097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  •  2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  •  65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  •  511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  •  4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  •  811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  •  1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

 

2) Hashes from FireEyd (MD5): https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html

  • 4b3039cf227c611c45d2242d1228a121
  • 0fd9bffa49c76ee12e51e3b8ae0609ac
  • 79eb217578bed4c250803bd573b10151

3) Hashes from Volexity (sha256): https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

  • 893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2
  • 406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928
  • 2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a

 4) Hashes from CISA (sha256): https://us-cert.cisa.gov/ncas/alerts/aa21-062a

  • 71ff78f43c60a61566dac1a923557670e5e832c4adfe5efb91cac7d8386b70e0 (zXkZu6bn.aspx)
  • ee883200fb1c58d22e6c642808d651103ae09c1cea270ab0dc4ed7761cb87368 (shell.aspx)
  • 1e0803ffc283dd04279bf3351b92614325e643564ed5b4004985eb0486bf44ee (discover.aspx)
  • c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5 (RedirSuiteServerProxy.aspx)
  • be17c38d0231ad593662f3b2c664b203e5de9446e858b7374864430e15fbf22d (Fc1b3WDP.aspx)
  • c0caa9be0c1d825a8af029cc07207f2e2887fce4637a3d8498692d37a52b4014 (discover.aspx)
  • d9c75da893975415663c4f334d2ad292e6001116d829863ab572c311e7edea77 (F48zhi6U.aspx)
  • 31a750f8dbdd5bd608cfec4218ccb5a3842821f7d03d0cff9128ad00a691f4bd (2XJHwN19.aspx)
  • d637b9a4477778a2e32a22027a86d783e1511e999993aad7dca9b7b1b62250b8 (UwSPMsFi.aspx)
  • bda1b5b349bfc15b20c3c9cbfabd7ae8473cee8d000045f78ca379a629d97a61 (E3MsTjP8.aspx)
  • 5ac7dec465b3a532d401afe83f40d336ffc599643501a40d95aa886c436bfc0f (web.config.aspx)
  • 5e09ea8b70a386f0812a8cafb94e2d2365849ce67fda42377389f18e56d860d0 (supp0rt.aspx)
  • c7e1b386b472a26a36632f4ccc25e37458546b9c864b7ef0ec5ebece5e8cc704 (uHSPTWMG.aspx)
  • 0c5fd2b5d1bfe5ffca2784541c9ce2ad3d22a9cb64d941a8439ec1b2a411f7f8 (McYhCzdb.aspx)
  • 138f0a63c9a69b35195c49189837e899433b451f98ff72c515133d396d515659 (0q1iS7mn.aspx)
  • 36149efb63a0100f4fb042ad179945aab1939bcbf8b337ab08b62083c38642ac (8aUco9ZK.aspx)
  • 508ac97ea751daebe8a99fa915144036369fc9e831697731bf57c07f32db01e8 (ogu7zFil.aspx)

Download PowerShell script ProxyLogonHashes.ps1 from https://github.com/andyinmatrix/PowerShell, modify the path of the IIS and Exchange Server and run it.

 


Check CVE-2021-24085

CVE-2021-24085 is Microsoft Exchange Server msExchEcpCanary Cross Site Request Forgery Elevation of Privilege Vulnerability

1)    Copy IIS log to other location.

2)    Use grep command to search below strings and check the outputs

grep -nr "/ecp/y.js" *.log

grep -nr "/ecp/DDI/DDIService.svc/GetList" *.log

grep -nr "/ecp/DDI/DDIService.svc/SetObject”

3)    If using windows:

findstr "\/ecp\/y.js" *.log

findstr "\/ecp\/DDI\/DDIService.svc\/GetList" *.log

findstr "\/ecp\/DDI\/DDIService.svc\/SetObject” *.log

 

Check CVE-2021-26855

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

 

1)      Check the Exchange HttpProxy log:  %PROGRAMFILES%\Microsoft\ExchangeServer\V15\Logging\HttpProxy

2)      Run PowerShell Script to check if there were any attack attempts:

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

 

3)      If attack attempts were detected, check the details on logs: %PROGRAMFILES%\Microsoft\ExchangeServer\V15\Logging

 

Check CVE-2021-26857

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

1)    Run below command to check if there were any attack attempts:

Get-EventLog-LogName Application -Source “MSExchangeUnified Messaging” -EntryType Error | Where-Object {$_.Message -like “*System.InvalidCastException*” }

2)    Exploitation of this deserialization bug will create Application events with the following properties:

·      Source: MSExchange Unified Messaging

·      EntryType: Error

·      Event Message Contains: System.InvalidCastException

Check CVE-2021-26858

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

 

1)    Log location: C:\Program Files\Microsoft\ExchangeServer\V15\Logging\OABGeneratorLog. Files should only be downloaded to the %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory. In case of exploitation, files are downloaded to other directories (UNC or local paths).

2)    Open command line window and run below command to check if there were any attack attempts:

findstr /snip /c:”Download failed and temporaryfile” “%PROGRAMFILES%\Microsoft\ExchangeServer\V15\Logging\OABGeneratorLog\*.log”

 

Check CVE-2021-27065

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

1)    Exchange Log: C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server

All Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.

2)    Run below command to check if there were any attack attempts:

Select-String -Path “$env:PROGRAMFILES\Microsoft\ExchangeServer\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’

 

Last Activity View

According to Microsoft:

Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:

1)    Using Procdump to dump the LSASS process memory

2)    Using 7-Zip to compress stolen data into ZIP files for exfiltration

3)    Adding and using Exchange PowerShell snap-ins to export mailbox data

4)    Using the Nishang Invoke-PowerShellTcpOneLine reverse shell

5)    Downloading PowerCat from GitHub, then using it to open a connection to a remote server.

To check if there were any similar activities on the system:

1)    Download LastActivityView tool from https://www.nirsoft.net/utils/computer_activity_view.html

2)    Run it as administrator and check if there were “Procdump” and “7z” activities.

 

Web Shell Search

According to Microsoft: The web shells were detected had the following file names:

 

·      web.aspx

·      help.aspx

·      document.aspx

·      errorEE.aspx

·      errorEEE.aspx

·      errorEW.aspx

·      errorFF.aspx

·      healthcheck.aspx

·      aspnet_www.aspx

·      aspnet_client.aspx

·      xx.aspx

·      shell.aspx

·      aspnet_iisstart.aspx

·      one.aspx

Create a batch file and run it as administrator to search these files

dir web.aspx /s

dir help.aspx /s

dir document.aspx /s

dir errorEE.aspx /s

dir errorEEE.aspx /s

dir errorEW.aspx /s

dir errorFF.aspx /s

dir healthcheck.aspx /s

dir aspnet_www.aspx /s

dir aspnet_client.aspx /s

dir xx.aspx /s

dir shell.aspx /s

dir aspnet_iisstart.aspx /s

dir one.aspx /s

 

Compressed file Search

Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.

Create a batch file and run it as administrator to search these files

dir C:\ProgramData\*.zip /s

dir C:\ProgramData\*.rar /s

dir C:\ProgramData\*.7z /s

 

LSASS dumps Search

Check LSASS dumps on below folder:

·      C:\windows\temp\

·      C:\root\

 

[Edit on Nov 10, 2021]

CVE-2021-42321

CVE-2021-42321 only affects on-premises Microsoft Exchange servers, including those used by customers in Exchange Hybrid mode (Exchange Online customers are protected against exploitation attempts and don't need to take any further action).

If you want to check and see if any of your Exchange servers were hit by CVE-2021-42321 exploitation attempts, run the following PowerShell query on each Exchange server to check for specific events in the Event Log:

Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

 

Exchange Server Health Checker

The Exchange Server Health Checker script helps detect common configuration issues that are known to cause performance issues and other long running issues that are caused by a simple configuration change within an Exchange Environment. It also helps collect useful information of your server to help speed up the process of common information gathering of your server.

It could be download from https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/ 

Reference:

1)    https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

2)    https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

3)    https://us-cert.cisa.gov/ncas/alerts/aa21-062a

4)    https://github.com/microsoft/CSS-Exchange/tree/main/Security

5)    https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html

6)    https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/bc-p/2183421/highlight/true

7)    https://github.com/GossiTheDog/scanning 

      https://www.bleepingcomputer.com/news/microsoft/microsoft-urges-exchange-admins-to-patch-bug-exploited-in-the-wild/amp

      https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

 

 

Tuesday, February 23, 2021

How to get the IP and the lease time from registry key

(Just for my references)

On digital forensics, sometimes you need to find out what IPs that the laptop got and when was the time it has these IPs.

Suppose you have a Windows 10 DD image, and you want to find out the IP addresses that were assigned to it and the lease time, so you can use it to search the logs (firewall, AD etc.) to find out the relevant events.

The information could be found on the registry key (Below screenshots were from a Windows 10 DD Image).
 




If the IP was permanently assigned, it could be found on HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\Parameters\Tcpip.

If it was DHCP, it could be found on 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Services\Tcpip\Parameters\Interfaces\{ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx } 

or even easier, search “dhcpipaddress” to find the IPs.
 

There were 2 keys: LeaseObtainedTime and LeaseTerminatesTime. They were using Epoch time format.
 

You can use python3 to convert them:

matrix@matrix ~ % python3
Python 3.9.1 (default, Jan  8 2021, 17:17:43) 
[Clang 12.0.0 (clang-1200.0.32.28)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from datetime import datetime
>>> datetime.fromtimestamp(1614085226).isoformat()
'2021-02-23T08:00:26'
>>> datetime.fromtimestamp(1614161347).isoformat()
'2021-02-24T05:09:07'
>>> datetime.fromtimestamp(1614123286).isoformat()
'2021-02-23T18:34:46'
>>> datetime.fromtimestamp(1614151831).isoformat()
'2021-02-24T02:30:31'
>>> 


There are 2 other keys (T1 and T2) that related to time stamps and also have Epoch time format. They stores the time that the interface acquired the lease on its IP address.
 
The client attempts to renew its lease when the value of T1 expires and, if necessary, attempts again when the value of T2 expires. By default, T1 is equal to half of the value of Lease and T2 is equal to 7/8 (87.5%) of the value of Lease.
.


Tuesday, December 22, 2020

Reverse SSH usage example 1

(Just for my reference) 
Scenario: 
  1. Server 10.0.0.18, 10.0.0.19, 10.0.0.20 are behind firewall. 10.0.0.18 has full access to the other servers. 
  2. Server 10.0.0.18 has a public IP x.x.x.x 
  3. Laptop 192.168.1.16 can only ssh connect to x.x.x.x on port 22 with certificate myCert
Requests: 
  1. The Laptop need to access Server 10.0.0.18 on https port 8834 (https://x.x.x.x:8834 won't work because only port 22 is opened to the Internet). 
  2. The Laptop need to access other servers on https port 443 
Steps: 
  1. On Laptop run "sudo ssh -D 1081 -i myCert root@x.x.x.x. 
  2. Setup Firefox proxy: use socket 4, localhost, port 1081 
  3. Open Firefox, browse https://localhost:8834
  4. Browse https://10.0.0.18
  5. Browse https://10.0.0.19