How to Build a Simple USB Drive Pentesting Toolkit

In this guide, I’ll walk you through setting up a pentesting USB drive that also works well for other IT professionals.

Fortunately, the days of carrying around a CD binder full of your various tools are long gone. With the lower prices of USB drives and their increased capacity, you can easily keep a large number of tools at your disposal.

About this Guide: This guide is intended for educational purposes only. The author of this guide is not responsible for misuse, damaged, loss, altered, files and hardware.

What You’ll Need:

• A USB drive (The larger the better. You can occasionally find a 128 GB drive for as little as £25)
• Internet connection (Which I am going to assume that you have if you are reading this)

First let’s head over to grab Yumi. Yumi is a multi-boot loader for USB drives and the primary tool we’ll be using. Yumi allows you to easily add and remove programs without having to wipe out your drive.

Download Yumi at: http://www.pendrivelinux.com/yumi-multiboot-usb-creator/

Next, plug in your USB drive into your computer and launch Yumi

Click on the “I Agree”

Click on the down arrow and select your drive

On the right side of the menu, we have the option of formatting the USB drive, View, ADD, or Remove distributions. I’m going to assume you have a clean USB drive.

Next, we’re going to click the drop-down arrow listed on Yumi’s “Step 2”. As we can see, there are a large number of programs listed here.

As this is going to be my penetration testing USB toolkit, and I’m a big fan of Kali Linux, so that’s what I’m going to select first.

With Yumi, you have two options to install these programs to your drive. You can either download the ISO ahead of time, or for convenience, you can click the “open download link” option. This will obviously open the program’s download link for you, saving you time searching for it.

One we have our ISO downloaded click on the “Browse” button:

Click on ISO

Click “Open”

Click the “Create” button

“Yes”to get started

Depending on how large the ISO will determine how much time it takes. You should see a dialogue box telling you how the install is progressing.

Once your ISO is ready, click “Next”

From here, you’ll have the option to load additional ISO’s to your drive. If you decide to load additional programs, simply follow the above steps.

Another great feature about Yumi is that if you have a particular ISO that you want loaded and it’s not listed in their menu, it’s no problem! Follow the instructions as if you were going to install any other ISO, when it’s time to select your ISO scroll to the bottom of the list. The option that I normally select is “Try Unlisted ISO (via SYSLINUX).

We have all the programs we want loaded by way of Yumi. What’s next? Well, we have a pretty good toolset now, but there is always room for improvement.

Keeping with the idea of a portable toolset and keeping the entire thing free (minus the cost of your USB drive), our next stop is Portable apps http://portableapps.com/.

If you never have used this program or heard of it before, Portable apps, as the name implies, is a set of portable tools that can be launched from your USB drive. The great thing about this is you can take all of your favorite apps to another person’s computer without installing it to their machine.

After downloading Portable apps let’s go ahead and launch it.

The initial install is pretty straight forward, so simply click through.

When we reach the “Install Type,” we’re going to choose “Custom Install”.

The next option gives us a wide range of locations to install to.

For this guide, we’re going to choose the first option, “Portable”.

Make sure you have your USB drive selected and click “Next” and “Install” (You may need to turn your anti-virus off for this if it’s set to block autorun.)

After the program installs you will be presented with a list of software. Simply select which programs that you want to install and click “Next”.

To launch the application, open your USB drive and click on “Start”

The last program that we’re going to install is similar to Portable apps. This one is called NirLauncher. The reason I include this one (in addition to Portable apps) is that it has a number of tools that can be useful for penetration testing. It’s also free and updated frequently.

You can download the software at: http://launcher.nirsoft.net/

This one is far easier and faster to setup since the installer has all of the programs pre-installed. Simply download the program and unzip it to your USB drive.

To launch NirLauncher simply open your USB drive and click on “NirLauncher”

We’ve seen how to launch the other 2 programs; let’s take a look at booting our primary drive. Plug your USB drive into the computer you want to boot off of and have it boot from the USB drive. Depending on how the BIOS is configured, you may need to interrupt the boot sequence and select the drive. If your drive still does not show up or is not a option, you’ll probably need to login to the BIOS and make sure that USB boot is not disabled.

When the drive does boot, you’ll see the menu screen. Simply navigate to the program you want to run and hit the “Enter” key.

Bonus – Customizing Yumi

If you wish to create a custom image for the Yumi menu, open your USB drive and then open the “multiboot” folder. There, you’ll find a .png file called “yumi”. Edit this file however you wish. Make sure the resolution, name and extension match the original.

Yumi is a very powerful tool. We can use it to boot to our own custom OS without touching the host machine. We can use it for data recovery, forensics, password hacking, hardware scanning, etc. – all for the cost of a single USB drive.

PRET – Printer Exploitation Toolkit

PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.

The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Installation

# pip install colorama pysnmp
# pip install win_unicode_console
# apt-get install imagemagick ghostscript
git clone https://github.com/RUB-NDS/PRET.git

Usage

usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}
positional arguments:
target                printer device or hostname
{ps,pjl,pcl}          printing language to abuse
optional arguments:
-h, --help            show this help message and exit
-s, --safe            verify if language is supported
-q, --quiet           suppress warnings and chit-chat
-d, --debug           enter debug mode (show traffic)
-i file, --load file  load and run commands from file
-o file, --log file   log raw data sent to the target

 Source

https://github.com/RUB-NDS/PRET

PowerMemory: Exploit Windows Credentials In Memory

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory, it levers Microsoft signed binaries to hack Windows.

The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, with this method, we can modify the user-land and kernel land behaviour without being caught by antivirus or new defending techniques.

It can actually be done with 4GL language-type or with a scripting language like PowerShell which is installed everywhere.

With that being said, this technique implies that the detection is made hard due to the fact that we can do pretty much what we want by sending and receiving bytes.

Features

• It’s fully written in PowerShell
• It can work locally as well as remotely
• It can get the passwords of virtual machines without having any access to them (works for Hyper-V and VMware)
• It does not use the operating system .dll to locate credentials address in memory but a Microsoft Signed Debugger
• PowerMemory maps the keys in the memory and cracks everything by itself (AES, TripleDES, DES-X)
• It breaks undocumented Microsoft DES-X
• It works even if you are on a different architecture than the target architecture
• It leaves no trace in memory
• It can manipulate memory to fool software and operating system
• It can write the memory to execute shellcode without making any API call, it only sends bytes to write at specific addresses

You can use the module waiting to be integrated to leave Wonder Land and launch a crafted advanced attack with PowerShell Empire serving as the vector.

You can download PowerMemory here:

PowerMemory-master.zip

Or read more here.

UAC Bypass Using Eventvwr.exe

User account control was developed by Microsoft in order to restrict unauthorised applications to be executed with administrator level privileges unless the administrator supplies his password to allow elevation. In penetration testing this means that privilege escalation can be stopped through Meterpreter due to UAC.

UAC Prevents Privilege Escalation

Matt Nelson discovered and explained in his blog that it is possible to bypass UAC by abusing a native Windows service such as Event Viewer by hijacking a registry key. This can be achieved due to the fact that the process of Event Viewer (eventvwr.exe) is running as a high integrity level and because Event Viewer is loading through Microsoft Management Console via the registry.

Manually

In newer versions of Windows (Vista and later) processes are running at three different levels of integrity. These three levels determine under which privileges a process is running:

• High // Administrator Rights
• Medium // Standard User Rights
• Low // Restricted

Process Explorer can be used to determine the integrity level of a process. Two things can be identified by checking the Windows processes while Event Viewer is running:

• Event Viewer is loading through Microsoft Management Console (mmc.exe)
• Event Viewer is running as a High Integrity Process

Event Viewer Process – High Integrity

Specifically what is really happens behind the scenes when eventvwr.exe is executed is that it tries to find mmc.exe in these two registry locations:

• HKCU\Software\Classes\mscfile\shell\open\command
• HKCR\mscfile\shell\open\command

The first registry location doesn’t exist so mmc.exe is executed from the second location which then loads the eventvwr.msc file in order to display the information to the user.

MMC and Event Viewer

Therefore it is possible for an attacker to create the registry location that doesn’t exist in order to execute a process with High level integrity bypassing in that way the User Account Control (UAC).

Elevated CMD via Event Viewer

When the eventvwr.exe will be executed the command prompt will be opened directly without requiring any elevation from the UAC.

Bypass UAC via Event Viewer

This technique is considered very stealthy since it doesn’t touches the disk and it doesn’t do any process injection avoiding the risk of being discovered by an antivirus or a security solution that monitors the behaviour of processes.

However a malicious and undetectable payload can be used as well instead of command prompt in order to get a proper Meterpreter session and escalate privileges with one of the techniques that Meterpreter is using via getsystem command.

Custom Payload – Registry

Process Explorer can verify the integrity level of pentestlab3.exe process which again runs as high:

pentestlab3 – Running as High Integrity Process

Metasploit module handler will capture the elevated Meterpreter session which from then privilege escalation is possible since user account control is already bypassed.

Pentestlab3 – Elevated Meterpreter

Metasploit

Alternatively there is a Metasploit module which automates this process above returns an elevated Meterpreter session.

1	exploit/windows/local/bypassuac_eventvwr

Metasploit – UAC Bypass via Event Viewer

Resources

“Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking

https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1

https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_eventvwr

https://www.mdsec.co.uk/2016/12/cna-eventvwr-uac-bypass/

https://github.com/mdsecresearch/Publications/blob/master/tools/redteam/cna/eventvwr.cna

Powershell Tools For Pentester

• PowerMemory: https://github.com/giMini/PowerMemory
  Exploit the credentials present in files and memory
• ReflectiveDLLInjection: https://github.com/stephenfewer/ReflectiveDLLInjection
  Reflective DLL injection is a library injection technique that is primarily used to perform the loading of a library from memory to host processes. The library should therefore be able to load itself by implementing a minimal PE file loader, managed with minimal interaction between the host system and processes.
• ThrowbackLP: https://github.com/silentbreaksec/ThrowbackLP
  Monitor station reverse injection
• Throwback: https://github.com/silentbreaksec/Throwback
  HTTP/S Beaconing Implant
• CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
  A swiss army knife for pentesting Windows/Active Directory environments
• nishang: https://github.com/samratashok/nishang
  Nishang is a PowerShell-based penetration testing tool. Integration of frameworks, scripts and various payloads. These scripts are written by Nishang’s author in the real penetration testing process, with actual combat value. Including the download and execution, keyboard records, dns, delay commands and other scripts.
• UnmanagedPowerShell: https://github.com/leechristensen/UnmanagedPowerShell
  Executes PowerShell from an unmanaged process. With a few modifications, these same techniques can be used when injecting into different processes (i.e. you can cause any process to execute PowerShell if you want).
• Empire: https://github.com/powershellempire/empire
  Empire is a PowerShell and Python post-exploitation agent. http://www.powershellempire.com/
• Unicorn: https://github.com/trustedsec/unicorn
  Unicorn is a simple tool for PowerShell downgrade attacks and direct injection of shellcode into memory.
• PowerShell: https://github.com/clymb3r/PowerShell
  The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
• PSRecon: https://github.com/gfoss/PSRecon
  PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
• PowerShell: https://github.com/MikeFal/PowerShell
  Powershell scripts for SQL Server database administration
• PowerTools Tools: https//github.com/PowerShellEmpire/PowerTools
  
  PowerTools is a collection of PowerShell projects with a focus on offensive operations.
• PowerShellArsenal: https://github.com/mattifestation/PowerShellArsenal
  PowerShell module for reverse engineering, can be disassembled hosting and unmanaged code, for. NET malware analysis, analysis of memory, parsing file formats and memory structure, access to internal system information.
• PowerShell API Manual: http://www.pinvoke.net/
  PInvoke.net is primarily a wiki that allows developers to find, edit, and add PInvoke’s * signatures, user-defined types, and any other information associated with calling managed code for Win32 and other unmanaged APIs.
• The AD-Recon-PowerShell: https://github.com/PyroTek3/PowerShell-AD-Recon
  A useful PowerShell script
• The PowerCat: https://github.com/secabstraction/PowerCat
  PowerShell TCP / IP Swiss Army Knife for Netcat & Ncat.
• Honeyport: https://github.com/Pwdrkeg/honeyport
  A PowerShell script for creating Windows honeyport
• PowerShellMafia: https://github.com/PowerShellMafia/PowerSploit
  PowerSploit is the set of PowerShell modules in Microsoft that can help Infiltrators evaluate at all stages.
• Secmod-Posh: https://github.com/darkoperator/Posh-SecMod
  PowerShell Module with Security cmdlets for security work
• Harness: https://github.com/Rich5/Harness
  Interactive remote PowerShell Payload