Using aspnet_compiler.exe for AWL Bypassing

A few days ago I was working on AWL (Application Whitelisting) bypassing techniques, looking through LOLBAS, and researching some that I had yet to use or learn- enter aspnet_compiler. This is a native Windows utility for compiling ASP.NET web application, naturally. The researcher who initially wrote about using this tool for AWL bypassing is cplsec on ijustwannared.team where you can find their write up on the subject. I will leave all references down below or in hyperlinks.

The purpose of this post is for people like myself who admittedly have zero knowledge of .NET and may struggle a bit in reading between the lines on cplsec’s post on the topic, and how you can play around with AWL bypassing (for fun and profit). I will also touch on setting up AppLocker, Windows native AWL tool, for proper testing of this technique.

First, I recommend reading through the original work by cplsec before reading on to this write up as all my work is based on theirs. With that said let’s go over how to prepare our attack. As a reminder, this will cover more of the how rather than the why on this attack. Additionally, I would recommend getting relevant files on the target machine before enabling security controls simply for the sake of your sanity. Obviously there are ways to bypass security controls to get these files on the target machine, but that is a write up for another day.

Building the Project

We’re are first going to pull down cpl3h’s “BringYourOwnBuilder” github repo and open the project in Visual Studio. This is as simple as opening Visual Studio -> File -> Open -> Project/Solution and selecting the BringYourOwnBuilder.csproj file.

The important file of note here is the Class1.cs file which will hold our payload. Here cplsec has simply used a MessageBox.Show() WinAPI method for proof of concept. We will keep with the MessageBox.Show() to keep things easy, but this is where you could place your malware (shellcode injection, DLL injection, etc.).

Once the project has been built the two files that will be of the most interest to us later will be the BringYourOwnbuilder.dll file, and the Class1.cs file.

Additionally, we need the web.config file which will look like this:

<?xml version="1.0"?>
<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
			<compilation debug="true">
				<buildProviders>
					<add extension=".cs" 
						type="BringYourOwnBuilder.GoHaveFun, BringYourOwnBuilder"/>
				</buildProviders>
			</compilation>        
    </system.web>
</configuration>

The important line to note here is the <add extension=".cs" line which we have changed from xml.

Project File Structure Setup

Next, we need to setup the appropriate file structure. For simplicity sake I will be nearly recreating the same file structure that cplsec uses.

I would also recommend using croc for file transfers. Probably the easiest way to install it would be via the Chocolatey package manager for Powershell.

For the lazy:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

choco install croc

This is what we want to see:

Now croc over the previously mentioned files into the appropriate folders. It should like this:

C:\Users\%USER%\Desktop\asptest\Web.config

C:\Users\%USER%\Desktop\asptest\App_Code\Class1.cs

C:\Users\%USER%\Desktop\asptest\bin\BringYourOwnBuilder.dll

Setting up AppLocker

Now that the project is ready for execution we need to setup our defenses for proper bypassing. Let’s get started with the AppLocker setup. This requires either an Enterprise, Education, or Professional version of Windows. For this test I will be using Windows 10 Education 21H2 (build 19044.2486).

First, start the Application Identity service which is required for AppLocker to enforce policies. In an elevated Powershell run the following to start the service:

sc.exe config appidsvc start= auto

Open the Group Policy Editor and locate AppLocker:

Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies

The only category of applications we need to set policies for is Executable Rules as that is what we are testing.

  1. Right-click Executable Rules and Create New Rule…
  2. For Permissions- Deny Everyone.
  3. Select Path for Conditions, Browse Folders, and select the C: drive (%OSDRIVE%*).
  4. For Exceptions we are going to go with any Microsoft signed executable. Otherwise this rule would make the workstation near unusable. Select Publisher, Add a Reference File, and I just selected ConfigSecurityPolicy within the Windows Defender Folder. Next, widen the rule scope to the Publisher (Microsoft), select Open, and Create the rule.
  5. A warning box will pop up asking to create default rules. Select yes.

Your Executable Rules Policy should look like this:

Now, lets test our policy enforcement and attempt to execute an application. Here I have a simple C# application/executable called messageBox_test.exe that simply pops a message box. We can see when I attempt to execute it AppLocker blocks it from running. Perfect.

Execution

Finally, the fun part. We’ve set up the proper file structure, gotten the required files and payload on the machine, and setup our defenses. Now to execute the bypass, and pop our message box.

The aspnet_compiler can be found within the Windows .NET Framework directory located at:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\

Note: Your Framework version may differ slightly so best to go to the Framework64 directory and cd into the appropriate directory for your machine.

We’re going to pretty much lift the exact syntax used by cplsec and only changing the project/application name from none to NWG as well as the User directory from which the project code resides.

cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
aspnet_compiler.exe -v NWG -p C:\Users\Taylor\Desktop\asptest\ -f C:\Users\Taylor\Desktop\asptest\NWG -u

Success!

I hope this helped others like myself who read cplsec’s write up and struggled to understand the mechanism of the bypass. Please let me know if you believe I have made any sort of technical error in this write up, or have any further questions for me regarding this subject. This will be a companion post to one I will be submitting for NetWorksGroup in the coming days so stay tuned for that and I will add it to the below references when posted. Thanks again to cplsec for the work they did on this topic, and thanks to everyone else for checking mine out.

References

https://www.networksgroup.com/blog/how-attackers-may-bypass-your-security-controls

https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/

https://learn.microsoft.com/en-us/previous-versions/ms229863(v=vs.100)?redirectedfrom=MSDN

https://github.com/ThunderGunExpress/BringYourOwnBuilder

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service

https://learn.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview

https://github.com/schollz/croc

https://community.chocolatey.org/packages/croc

https://www.networksgroup.com/blog

Python Virtual Environments for Hackers

A quick guide and recommendations for using Python venv from the perspective of a professional hacker.

The What & Why

Firstly, the definition for venv defined in Python’s own documentation is as follows:

“The venv module supports creating lightweight “virtual environments”, each with their own independent set of Python packages installed in their site directories. A virtual environment is created on top of an existing Python installation, known as the virtual environment’s “base” Python, and may optionally be isolated from the packages in the base environment, so only those explicitly installed in the virtual environment are available.”[1]

To put this in more simple terms for the layman, venv are created as stand alone [virtual] environments where only the packages you add to them will be there. This is to prevent packages that you may be getting from pip(3) from causing dependency issues from all sorts of different packages and programs.

I have personally had a VM that I borked so bad it was nearly unusable with Python packages because I had created so many discrepancies among the various packages. Between that issue and beginning my position as a professional pentester I needed to begin regularly using venv for every tool I use in my day-to-day.

Creating & Using Venv

This method was taught to me by one of our senior pentesters so shout out to Chris for standardizing this practice for me.

For this example we’re going to install fierce – a DNS reconnaissance tool build in Python. Obviously, this process will work with any Python tool you want to install.

  1. We like the practice of creating a directory in $HOME named “Tools” in which we will place our Python tools and others. Within this directory clone your desired github repository using git clone.
  1. Cd into your repository’s directory.
  1. We will then create the venv with the following command:
python3 -m venv venv

What this is doing is telling Python to create a virtual environment (venv) called “venv”. You could change the name (second “venv” in this case) to anything you desire, though.

  1. Now that we have created the venv we need to “activate” it and then we’ll be ready to install our packages.
source venv/bin/activate

Where venv will be the name of your venv. In this case we went with venv as the name.

Depending on your terminal settings and customization you may notice on the right side of my screen my terminal will display that you are currently within the venv in fierce.

  1. From here, we can go ahead and install our packages and requirements for our tool and run it.
pip3 install -r requirements.txt
  1. Lastly, ensure when you are done with your tool to deactivate your venv before moving onto your next tool and packages. We can also see that after we deactivate the venv the indicator on the right side of the screen has been removed confirming we are no longer within that venv.

In conclusion, I hope this write up will be able to help those like myself when I was just looking for a quick and concise how-to guide for Python virtual environments. Feel free to reach out to me with any questions or criticisms. Happy hacking!

Citation:

[1] https://docs.python.org/3/library/venv.html

My First Help Desk Job: Lessons Learned

Your first IT job can be one of the most exciting and nerve racking experiences of your professional career, at least that is how it was for me- up to the day I was terminated nine months later. In this article I want to share some of my experiences, mistakes, and advice I would like to share with others starting their first job in this awesome field of work and how I hope yours will be much better than my own.

I’ll provide a key takeaways section near the bottom for those that want to save themselves from my internet ramblings.

The before time

First I’ll give a quick background of my knowledge and skill set entering my first position. I was never one of those people in this industry you hear so often who was fascinated with computers and had been tinkering with them from an early age. I always had a passing interest in them watching some of the things my older brother of nine years would do with them, but the passing part would come anytime I would pass by or think of the stacks of massive C++ or Windows administration books he would have scattered around his room and desk. My brother was a very intelligent person and I was had the mindset of, “Well I could never be smart enough to work with computers or understand those books of his.”. Obviously I know now how silly this thought was and still is when talking to other curious people like I was, but I digress. It wouldn’t be until around 2014/2015 when I would begin seriously considering IT as a career path.

This consideration began after a discussion one evening with a close friend of mine whom was approaching the completion of their associates degree in Networking Technology from our local community college. Hearing them talk about how much they enjoyed working in IT was very enlightening, especially in contrast to many people I would hear mention their job with dread and melancholy. This really piqued my interest since I currently had no long term career aspirations or plans at the time, and was still trying to determine what I wanted to do with my life. The following semester I enrolled in the same program my friend was just finishing. I performed quite well in the program despite having little to no in-depth understanding of computers or networks (I didn’t even know what a router was beyond-the box that gives you internet). I made up for this lack of knowledge with a very high commitment to understand these concepts, a trait that I feel describes my entire professional experience. In those earlier intro courses I would stay late very often to ask for further elaboration or clarification on the previously discussed topic (Shout out David Pope). This resulted in me completing my program with quite high grades overall, at least for me, in the fall of 2017 where my next challenge awaited me.

Foot in the door

Near the end of my last semester a different friend of mine whom at this point was well established and respected within the industry got me in connection with my first IT job.

Shortly after my friend putting me in connection with the IT manager and following a short phone call with him I was invited into their office for a formal interview. This interview was made up of the manager and both system admins. This has been about five years as of writing this so my memory may be a bit fuzzy on the details, but I will try and highlight a few aspects of the interview to help others in this position. I was asked about some of my college courses, which are my favorite, what challenges I faced, how I overcame said challenges, and if I had any personal technology related projects. After the interview I was given a short written exam to test my technical knowledge. I want to say there were about twenty questions almost all of which I felt confident in my answers. These were relatively simple questions one would learn in an introductory course such as- “What protocol would you expect to see running on TCP port 445?”, or “What is DNS short for?”.

This should go without saying, but do not lie or exaggerate your knowledge or experience, certainty not in an entry level position. They are aware you have no “real world” experience and are usually just looking to see that you are professional, have some basic knowledge, and an interest in the field.

Later that week I was extended an official offer from the company for the position. The salary for the position was around $28,000 and this was late 2017. I feel it’s important to share our salaries, at least past salaries to help others know what they should expect and what is fair. At the time, I believe this was very fair and although it was about what I was making bartending and serving I was still ecstatic to get my first salaried position.

Not a great start…. Not a great end

So my first week felt like I was drinking from a fire hose. This being my first experience seeing anything and learning about a network of this size was very daunting, but exciting. I felt like the sysadmin that was walking me through various things would think less of me or possibly even laugh if I asked what I perceived as dumb questions. This leads into two major mistakes I made going into this job of which I am sure you are already noticing. Failing to ask questions when appropriate, and not adequately taking note of the different concepts and techniques being taught to me. I’ll go a little bit more into detail on each of these and how I would recommend to my successors how to avoid these pitfalls in their first IT job.

When starting any new job, not just an entry level one, you should never worry about asking someone what you may consider dumb questions. It is always better to clarify and understand a topic rather than just pretending you know it because you feel you should. If your colleague or supervisor scoffs at these questions I would recommend immediately looking for a new position because it is not going to get any better for you, unfortunately.

This leads into the next issue I previously mentioned- not taking proper notes. When I started and one of my colleagues would demonstrate the process for a particular task and I would think to myself, “Okay, that wasn’t too much or too complex; I’m sure I’ll be able to remember that.”. The issue would arise though when I would be shown dozens of process or procedures throughout the work week. When I would need to execute one of these procedures that I had observed possibly weeks prior I would only have a slight idea of how to go through the process and need to ask someone for assistance. In this line of work, or any technical field this is just not a sustainable form of working and learning for the vast majority of the population. I have learned from my mistakes and now will write out detailed steps of the process if it has more than one or two steps in its entirety if there was not already documentation made by a coworker.

It’s at this point in this article I was debating on how far I should go into detail on the slow steady decline of my performance (or rather perceived performance) at this position that lead to my eventual termination. Although I have decided I will forgo this details for the sake of both brevity and professionalism.

Ultimately my short comings and issues were my responsibility. I made mistakes. Some I learned from immediately and made the appropriate corrections, while others may have taken quite a few mistakes before making those corrections. Though I would be remiss if I did not also bring up issues with the team/management. As mentioned previously, my intention is not to write up this entire autopsy and criticize those that helped start my career and taught my many foundational knowledge that I still carry into my job to this day. Although I do believe there was a disconnect in what was expected of me in terms of knowledge and skill and what I was able to bring to the team at that time.

I had this help desk position for about nine months before I was terminated. I was both incredibly upset as one could imagine, but also incredibly relieved as the stress and anxiety this position caused was becoming nearly unbearable near the end. Thankfully just a few months later I was able to land a great opportunity to work on my first blue team with an incredible team and management.

Looking back at this help desk position, at the end of the day it just wasn’t a good fit for either me nor the company. Sometimes that happens and that’s alright. You will find yourself in a position or company that isn’t going to make you or them totally satisfied. My only advice is to try to determine this early and not waste the time and effort for either party. With remote work in the field of IT and cyber security becoming more common there are hundreds of incredible teams and companies out there that will make a perfect professional relationship- don’t settle.

Key Takeaways & Suggestions

  • It’s okay to not know something or to have questions. Ask questions and clarify topics early and often. If senior admins or managers treat you poorly for this- immediately begin looking for a new position.
  • Take extensive notes. You won’t be able to remember everything you are taught in any technical job. Take good notes and document processes and procedures. Not only will it make your job much easier, but it will also instill confidence in your supervisors/coworkers that you are truly listening and understanding the topics they are demonstrating to you.
  • On note taking: I would highly suggest using an hierarchical note taking application such as Evernote, OneNote, Obsidian, or even CherryTree. I may also just have a note pulled up to use as a daily “scratch pad” for quick and simple notes on something I’m doing at that very moment.
  • Problem solving and escalation: I did not touch on this during the article but I feel it’s important to mention for anyone starting out in IT. Before trying to immediately escalating a ticket to a more senior person always check internal documentation, Google (an invaluable tool), and vendor documentation. This will all depend on both the structure of your organization and when you are to escalate tickets and the severity of the issue.

Authentication for the Uninitiated

What every person should know to keep their online accounts safe and secure

As a security professional I am often asked by friends and family how they can best stay secure. After answering this question in detail too many times to count, and struggling to keep it as streamlined as possible; I have decided to organize my thoughts into this article that I hope may help some people. In short, the answer is proper password length, password management, and multi-factor authentication. I will try my best to keep this article as short and concise as possible for the non-technical reader while also providing enough information and references to give the same reader enough confidence in taking control of their own security.

Wait! Before you go…

There will be a lot of information in this article and I understand not everyone will make it through for one reason or another. For this reason I want to highlight one single piece of advice that I believe is the most important in your online safety: secure your email. Think of your email as the “keys to the kingdom”. Once someone has access to your email they can reset any password with which that email was associated. Create a lengthy, unique passphrase and set up multi-factor authentication. The latter of the two is far more important and will be discussed in more depth further on into this article. I will also include in the index at the bottom of this page some resources for configuring multi-factor authentication for your email. This will save you a lot of headache down the road and the one piece of advice I would give to you, the reader, if everything else in this article was dismissed.

Authentication- What is it? The Need to Knows

Now, onto an overview of the topic at hand. Authentication, to put it simply, is a way to prove who you are within the context of a resource you are attempting to access, e.g. social media, online banking, email, etc. The most common form of authentication is passwords, or passphrases (we will touch on the latter in a bit). Although it is the most common form, passwords are also the most insecure due to human nature.

Password Do’s and Don’ts

So why are passwords so insecure? Before answering this we must explore what makes up a good password. NIST, a US based regulatory institution who’s standards and practices are widely implemented in the security industry, has outlined the most recent recommendation regarding passwords. First and foremost, length is far more important than complexity. The minimum recommendation is 8 characters, although I would personally never use anything less than 15 characters and neither should you! This is not to say complexity is not important, but when allowing a human to create “complexity” they will behavior in predictable ways to better help their memorization. Examples of this would be replacing “A” with “@”, appending “!” at the end or beginning of a password, substituting “5” for “S”, and so forth. There are more best practices and standards regarding passwords, but the remaining are more relevant to administration. To continue, it is incredibly important that we never re-use passwords on different websites and applications. The reason this is important is that in the chance that a website experiences a data breach of user information the perpetrator may have your password. They would then begin attempting these credentials on other websites and application they can trying to escalate their privilege. Now, if I have any security or IT professionals reading this they are probably saying to themselves, “Psh, yeah right, any application worth their weight in salt would have those passwords hashed”. Yes, they are absolutely correct, although delving into encryption and hashing would be a bit beyond the scope of this article. It’s much more simple to just state, “Don’t re-use passwords”. With these considerations we are now looking at a minimum 15 character password, unique to every site/application you use, and most likely some form of complexity enforced by the site/application. So now the issue with the effective use of passwords for authentication is more apparent. Very few humans, if any would be able to remember these stipulations and adhere to them consistently; so what are we to do?

For us to maintain the multitude of passwords in our life in a secure way we will need a password manager. Before continuing with these managers in more details I believe it’s important to quickly discuss how not to maintain passwords. First, and by far the worst way possible, is simply saving your passwords in clear text in a spreadsheet or simple text file locally on your device. This is incredibly common, but we must move away form this practice. The next most common bad practice I see is storing your passwords in a physical notebook, potentially even labeled “Passwords”, or on Post-IT notes stuck haphazardly around your workspace or under your keyboard (that’s right, I know your secrets!). Both of these methods are bad practice for similar reasons. There is little stopping a skilled or dedicated adversary from obtaining these lists and once they have them it will be very difficult to recuperate. So we must store our passwords in a way the bad guys can’t get to them, or even see them.

Password Protect your Passwords (Yes, really)

As previously mentioned the solution to these password management issue is a password vault or password manager as they may be referred. A password manager is an application that allows you to store your passwords in one secure place. These tools will also allow you to generate passwords based on whatever specifications you desire, e.g. length, complexity, and included characters. Their security is based on the encryption of the password database. To put it simply, all your passwords will be protected with a single master password (and optional “key files” and/or MFA). Now, the upside to this is that this single master password will be the one and only password you will need to remember. Because of the importance of this password it is an absolute must that it comply with the recommendations lain out previously in this article. For best results remembering a password it is recommended to use a passphrase. The distinct difference is that the latter will be an easy to remember lengthy (in the sense of characters, not words) phrase, but hard to guess or “crack” by a bad guy. Find a book near you, open up to a random page and find a short sentence; one that is easy to remember, though seemingly random. Bingo, that’s your new passphrase. Although I can not in good faith give a recommendation on a particular password manager solution; I can give an overview of the two major pillars- free open-source and paid services.

The two types are straight forward, though each have their own drawbacks and advantages. The first is paid services such as 1Password, LastPass, and Bitwarden. The benefit of these types of applications is they are usually going to be easy to setup and share across all your devices. Where the drawbacks are in the cost and trusting the security practices of these companies while also trusting their closed software is secure (with the exception of Bitwarden which is open-source). The second option will be free open-source solutions such as Keepass. This is the solution that I personally use and is also the only option as of today that is both free and open-source. There is a bit more leg work to get setup and your database synced to all your devices, although if done correctly you will be just as secure, if not more so, than any of the other solutions available (and for free!). I intend to create a write-up on how to set up your Keepass application in a secure and convenient way in the future. Regardless of which application you choose you will be taking a big step in your journey for improved security.

Multi-Factor Authentication- A Modern Essential

The final, yet incredibly important topic to discuss regarding your personal cyber security and authentication is multi-factor authentication (MFA). The concept of MFA is to not rely solely on a single point of authentication, and thus a single point of failure. If an adversary were to get a hold of your password it’s game over. Although through the implementation of MFA we can strengthen our security by requiring a token (software or hardware) or biometrics scan (such as a fingerprint). Tokens will be the most common utilized and the topic of this discussion. A token could be anything form a text message or an application creating a one-time password (OTP) or a physical token you must insert into your device to authenticate. Often when setting up MFA on a particular application or website the two common options will be either SMS or some form of “authentication app”. Given these two options it is always better to go with the latter in the authentication app method, although if SMS is the only option it is absolutely better than lacking MFA all together. Many security professionals (including myself) will scoff at the idea of using an insecure mode like SMS for their MFA. While this is true for any enterprise environment your average user need not concern themselves too much at this incredibly unlikely, though potential security risk. Going into detail regarding the reasons why SMS is insecure would be beyond the scope of this article, although for those interested I will link more information here.

In summary of the basics, authentication is incredibly important aspect of your personal cyber security. Lengthy and unique passphrases are far more crucial than shorter complex reused passwords. Maintaining these passphrases can only be achieved through secure storage within a password manager. Enable and configure MFA wherever it is available and absolutely without question for your primary email.

Hardware Tokens (For the extra paranoid)

The use of hardware keys is a practice not very common even in the security/IT community in the current year of writing this, 2022. Though I do believe within the next five years it will be much more commonly used in enterprise environments and within ten years will become standard practice. So what makes hardware keys the most secure form of MFA? There are a few answers to this depending on the context of the situation. Within an enterprise environment a huge advantage would be how it ties the identity of the holder to their domain and ensures authenticating to a domain that is falsifying its identity in a phishing attempt impossible. The common advantage in both enterprise and personal usage is that it is a physical USB device that can not be cloned, spoofed, or otherwise forged. Meaning, the only possible way an adversary would be able to access an account set up with hardware key MFA would be if they were to physically be in possession of that key, regardless if they know the password. MFA through hardware keys is not yet as prevalent as traditional MFA as described above in applications, although the most important applications I care about being as secure as possible offer hardware key authentication. For me, that would be my email account and cloud storage account. My only recommendation on for this product would be the Yubikey. There are plenty of great articles and blog posts written in much more detail regarding the set up and use of hardware keys and I will leave some of the resources below for those interested.

Additional Resources: