Introducing VulnInjector

February 18, 2013

Whats VulnInjector?

VulnInjector will create an automated ‘vulnerable’ installation of a Windows target to practise penetration testing on.

Why make it?

Due to the licencing of Microsoft Windows, it’s not legal for us to redistribute it (including the setup disk or it being pre-installed - which is what usually happens with Linux targets).

However, VulnInjector uses your own Windows setup (and product key) to create a ‘modified’ setup image. This new image automates the setup of Windows itself and then applies the modifications needed for the target to become a ‘vulnerable’.

Windows Setup + Product key + VulnInjector = Vulnerable Windows Target

Requirements

To run VulnInjector to create the image file:

  • Pre-installed windows environment.
  • dot NET framework 4 or higher. (Download here).

To create the target (depends on their specification):

  • A Windows setup disk or image file.
  • A matching valid product key.

How to use it

  1. Make sure you have dot NET framework 4 or higher pre-installed.
  2. Download and run your chosen setup file.
  3. Select where to put the Windows setup files you wish to use for the ‘source’. To do so press the CD icon and choose either a physical drive letter or locate an image file.
  4. It may prompt you for a service pack. Check which service pack is required, download a local copy and select it when __prompted.
  5. It will say ‘valid’, if it matches the target requirements.
  6. Enter your product key.
  7. Press ‘Generate Image (.ISO)’ once it’s enabled.
  8. Once complete, close VulnInjector. The image can then be burnt onto a CD/DVD to be used on a physical machine or loaded inside a virtual machine. (Its recommended that you use a virtual machine).
  9. Make sure to boot from CD/DVD drive.
  10. If hard drive is empty, Windows will automatically start installation. Alternatively, when prompted, press any key to start installation. This is the only interaction necessary for the setup.
  11. Wait for Windows setup to complete. Windows will automatically restart.
  12. When its complete, you should see the login screen, however, there shouldn’t be any users listed.
  13. If you’re using a virtual machine, its recommended to create a snapshot at this point.
  14. Remotely gain access to the target!

The video below, demonstrates using ‘bobby.exe’ (00:00), installing it (01:24) and verifying it’s on the isolated network (04:29).

How does it work?

The stages behind VulnInjector are:

  1. Extracts the boot sector of the setup source.
  2. Copies the content of the setup files into a local ‘temporary’ location.
  3. Checks to see if the setup files match the target’s specification.
  4. If necessary, slipstreams the required service pack.
  5. Creates an ‘answer file’ for the Windows setup process.
  6. Copies over the target’s setup file.
  7. Generates an image of the ‘temporary’ files.
  8. Removes temporary files.

If the source doesn’t match certain specifications of the target, VulnInjector will halt. This is because each version of Windows is different. The target has been designed to use a certain version. A different version may not include a certain feature which the target takes advantage of. The only way around this limitation is to use a different source.

Whenever the source’s service pack version is outdated, VulnInjector will ask for a ‘stand-alone’ version of the required service pack. This service pack needs to be downloaded from Microsoft if the user hasn’t already got a local copy. VulnInjector will then try to integrate the contents into the Windows setup. If successful, VulnInjector will recheck the contents to check for any other requirements. Otherwise, VulnInjector will halt. The only way around this is to use a different source.

In the case of the source having a ‘greater’ version than the expected version for the target, VulnInjector could ‘risk’ it. The features which the target relies on, should be there. However, the setup process could be different during the installation later and/or a required vulnerability could be missing/patched. As a result, this could stop the designed ‘path’ to gaining access.

Instead of re-creating the setup files and having to install the operating system, other methods have been taken into consideration and were not used for the following reasons.

  • Live environment such as Windows PE or BartPE. Getting applications to perform ‘normally’ under these conditions is difficult. Also unsure of the legality of repacking and distributing these files pre-made. However, the creation of them could be automated, but this would only save the time that it takes to install Windows. The time saved isn’t justified compared to the advantage of a real environment.
  • Pre-installed environment using an image file from NIST or ReactOS. Unsure of the legality of repacking and distributing from NIST. ReactOS isn’t (yet) stable enough to be used for our needs.

If you know something which we do not, please get in touch.

With the above points in mind, it was decided that the best option was to automate as much as possible to get to a ‘pre-installed environment’. We didn’t wish to give away just the setup file (there isn’t anything stopping you getting to it if you so wished) as there could be modifications _(either known or unknown) _ to the operating system, causing un-designed vulnerabilities to be active.

Screenshots

Source code

The source code should be included in the self extracting setup file of each target. There is also a copy which can be found on online here: https://github.com/g0tmi1k/VulnInjector.

FAQ

*** Use YOUR OWN setup disk & product key. ***

*** Use a clean source (e.g. no modifications and/or existing unattended installations). ***

*** This creates a PERSONAL modified Windows installation image. It has been designed ON PURPOSE to have known VULNERABILITIES once installed. ***

*** Use ONLY in a ‘safe’ isolated environment. ***


Q.) Does this alter my existing ISO file?

A.) No. This extracts the selected ISO file and then repackages it into a new file. This leaves the existing image untouched.

Q.) Why can’t I use a USB stick/existing folder as a source?

A.) This is because VulnInjector is unable to extract the boot image which is required.

Q.) Why does this need my product key?

A.) This is to automate the Windows setup process, allowing for zero interaction during the setup. Load up the image into a new Virtual Machine, wait 20-30 minutes and it should all be done (without you pressing a button)!

The key is saved to an “answered” file on the CD. Nothing else.

Q.) I don’t have the right source files / I only have a higher service pack version!

A.) The author designed the vulnerabilities in a specific version of Windows, so you will likely encounter these errors with:

  • Earlier service packs: The vulnerabilities targeted may not exist or the vital features may be missing.
  • Newer service packs: The vulnerabilities may have been patched.
  • Different edition of Windows. Some editions may have ‘everything’ (such as ultimate), however they may also have different memory addresses, which will cause the exploit to fail.

Solutions:

To make it more accessible, other versions/editions may be used. However, they have limited support and may perform unexpected.

For ease of use, we highly recommend trying to get a close as match possible.

Q.) Why do we need a temporary folder?

A.) This is the location which will extract the Windows setup, allowing for VulnInjector to repackage the CD to create the target. The chosen location needs to have a little more free disk space than the size of the source used. The user that executed VulnInjector needs to be able to write to that location also.

Q.) What do I do with the ISO file after it has been created?

A.) Start to install Windows as you normally would using the new image file, wait for it to install and then try to break into the new target!

We recommend using a new virtual machine for each new target.

Q.) Do I have to re-install Windows again? I’ve already got a Windows VM ready.

A.) The setup file has been designed to run during the Windows setup stage. It will automate all the necessary modifications and configurations to a ‘fresh’ VM.

If you use an existing Virtual Machine you may have made modifications (either knowing or un-knowingly) to the system which hasn’t been taken into consideration, thus, there could be additional vulnerabilities which were not designed for this target, making it ‘easier’.

Q.) Do I have to use a Virtual Machine?

A.) No. However, we do recommend it.

If you use a real machine, the hardware may not be supported without additional device drivers. To install them, you need access to the system. However, as the aim of this target is to start with nothing and then gain as highest level of access possible, you first need to break into it to be able to install the drivers!

Depending on the virtualization software, it may support “snapshots”. This has the advantage of restoring to a known state, which is useful if you made a mistake and quickly want to recover.

Legal

Your use of VulnInjector is governed by the following conditions. Please read this information carefully before using VulnInjector.

By using it you are agreeing to the following conditions:

  • VulnImager is OpenSource and released under the ‘GNU General Public License, version 3’. See ‘./LICENSE.txt’.
  • VulnInjector is supplied ‘as-is’. The author assumes no liability for damages, direct or consequential, which may result from the use of VulnInjector.
  • You accept the operating system’s EULA as well as anything 3rd party applications which are installed along with it.
  • International users need to check for any import restrictions that your government may impose.

  • VulnInjector created by g0tmi1k under the GNU GPL license.
  • Special thanks to Matt “hostess” Andreko for the valuable help.

  • geteltorito provided by Olof Lagerkvist under the MIT license.
  • 7-zip provided by Igor Pavlov under the GNU LGPL license.
  • mkisofs provided by Joerg Schilling & Ross Smithii under the GNU GPL license.
  • Cygwin provided by Cygwin™ under the GNU GPL license.

  • A copy of the license for each application mentioned above can be found in the following location: ‘./bin/<name>_license.txt’.
  • Windows and Windows XP are a registered trademarks of Microsoft Corporation in the United States and other countries. All Rights Reserved.
  • Cygwin is a registered trademarks of Red Hat, Inc. All Rights Reserved.
  • All other trademarks and trade names are properties of their respective owners. All Rights Reserved.

Competition Results - Sokar

Our [Sokar birthday competition][1] is well and truly over now. So the only thing left todo is to summarize everything and of course …… Continue reading

New Blog Desgin

Published on March 01, 2015

Competition - Sokar

Published on January 30, 2015